A critical buffer overflow vulnerability in the User-ID Authentication Portal of PAN-OS is being actively exploited by a likely state-sponsored threat actor. This zero-day allows unauthenticated remote attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls.
Tracked as CVE-2026-0300, the flaw carries a CVSS score of 9.3 for internet-exposed deployments. Attackers can trigger the vulnerability by sending specially crafted network packets to the portal service. While official patches are scheduled for rollout starting May 13, 2026, Palo Alto Networks has confirmed limited exploitation attempts dating back to early April.
The exposure of the User-ID Authentication Portal to untrusted IP addresses represents a severe risk to perimeter integrity. Successful exploitation grants persistent root-level access to the firewall, enabling the attacker to intercept traffic, dismantle security policies, and pivot into the secure internal network.
– Immediately restrict access to the User-ID Authentication Portal to trusted internal IP ranges or disable the service if it is not required.
– Monitor for anomalous inbound traffic on ports 6081 and 6082, which are utilized by the affected portal.
– Conduct a forensic audit of PAN-OS logs for unauthorized administrative activity or unexpected system-level changes.
– Apply the official security updates immediately upon their release starting May 13.
When the perimeter security appliance itself is vulnerable to unauthenticated root-level RCE, the entire organizational trust model is bypassed. #CodeDefence #PaloAltoNetworks #ZeroDay #RCE #PANOS
/
