"Limited exploitation has been observed targeting Palo Alto Networks User-ID™ Authentication Portals that are exposed to untrusted IP addresses and/or the public internet," Palo Alto Networks said in a Wednesday advisory — a short sentence that carries a long-standing operational risk for organizations running Internet-facing PAN-OS appliances.
CVE-2026-0300 and the User-ID Authentication Portal
The vulnerability is tracked as CVE-2026-0300 and affects the PAN-OS User-ID Authentication Portal, also known as the Captive Portal. Palo Alto Networks says the flaw is a buffer overflow that permits unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls. The exploit is delivered via specially crafted packets sent to the vulnerable service.
How many devices are exposed — Shadowserver's count
Internet threat watchdog Shadowserver is tracking more than 5,800 PAN-OS VM-series firewalls exposed online. The bulk of those devices are located in Asia (2,466) and North America (1,998), according to the advisory. Palo Alto Networks also notes that its products and services are used by more than 70,000 customers worldwide, "including 90% of Fortune 10 companies and most of the largest U.S. banks," underlining the potential reach of an effective exploit.
Palo Alto Networks' immediate guidance to administrators
Palo Alto Networks has flagged CVE-2026-0300 as the highest possible severity and is still working to address the zero-day. In the meantime the company "strongly" recommends that customers secure the User-ID Authentication Portal by restricting access to trusted zones only or disabling the portal if that is not possible. Administrators can quickly check whether their firewalls are configured to use the vulnerable service by visiting the User-ID Authentication Portal Settings page under Device > User Identification > Authentication Portal Settings and reviewing the Enable Authentication Portal option.
Recent history: PAN-OS firewalls have been targeted repeatedly
The advisory places this zero-day in an ongoing pattern of attacks against PAN-OS firewalls. In November 2024, Shadowserver revealed that thousands of firewalls had been compromised in attacks that chained two PAN-OS firewall zero-days, even though Palo Alto Networks said the attacks impacted only "a very small number." One month later, in December 2024, Palo Alto Networks warned that hackers were exploiting another PAN-OS denial-of-service flaw to force PA-Series, VM-Series, and CN-Series firewalls to reboot and disable protections. Then in February attackers moved to abusing three other PAN-OS flaws to compromise Palo Alto Networks firewalls with internet-facing management interfaces. This advisory notes that PAN-OS firewalls have "frequently been targeted in attacks, often exploiting zero-day security vulnerabilities."
What this means for technologists, affected enterprises, and adversaries
Technologists and security teams: The immediate, actionable step is to audit the Authentication Portal setting and either restrict access to trusted internal networks or disable the portal until a vendor patch is available. The advisory explicitly points to the Device > User Identification > Authentication Portal Settings page as the place to verify configuration.
Affected enterprises and procurement leaders: Organizations among Palo Alto Networks' more than 70,000 customers — including the majority of the Fortune 10 and many of the largest U.S. banks, per the company — should treat exposure counts from Shadowserver (over 5,800 VM-series devices visible online) as a prompt to inventory Internet-facing PAN-OS instances and prioritize remediation for those using the Captive Portal.
Adversaries and threat actors: Palo Alto Networks reports only "limited exploitation" so far, but the company’s advisory and the recent string of prior exploit chains signal that Internet-exposed PAN-OS services remain attractive targets for attackers seeking to gain root code execution on firewall appliances.
For now, the record is straightforward: a remote, unauthenticated buffer overflow in a widely used PAN-OS feature permits root code execution (CVE-2026-0300); more than 5,800 VM-series appliances are known to be Internet-exposed; Palo Alto Networks has labeled the bug highest severity and is urging administrators to restrict or disable the Authentication Portal while a patch is developed. The next concrete signal to watch for is the vendor’s patch and accompanying verification guidance — and whether the number of Internet-exposed portals that remain enabled drops in response to the advisory.
