Emerging Threats

Palo Alto Networks Flaw Exploited for Remote Code Execution

Analyst 207||Source: TheHackerNews
Network equipment and firewall device on a rack with cables, under ordinary lighting.

"A buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets," Palo Alto Networks warned.

CVE-2026-0300: unauthenticated remote code execution against the User-ID Authentication Portal

The vulnerability is tracked as CVE-2026-0300 and has been publicly disclosed by Palo Alto Networks as a buffer overflow in the User-ID Authentication Portal (also called the Captive Portal) service in PAN-OS. The company describes the flaw as allowing an unauthenticated attacker to execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls by sending specially crafted packets.

Versions impacted

Palo Alto Networks lists the specific PAN-OS versions affected. The vulnerability impacts installations that run the User-ID Authentication Portal and fall into these version ranges:

  • PAN-OS 12.1 - < 12.1.4-h5, < 12.1.7
  • PAN-OS 11.2 - < 11.2.4-h17, < 11.2.7-h13, < 11.2.10-h6, < 11.2.12
  • PAN-OS 11.1 - < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15
  • PAN-OS 10.2 - < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6

Palo Alto Networks also emphasized the functional scope: the vulnerability is applicable only to PA-Series and VM-Series firewalls that are configured to use the User-ID Authentication Portal.

Severity, exploitability, and observed activity

The company assigns a high severity to the flaw. Where the User-ID Authentication Portal is configured to permit access from the internet or any untrusted network, the vulnerability carries a CVSS score of 9.3. If access to the portal is restricted to trusted internal IP addresses, the severity falls to a CVSS score of 8.7.

Palo Alto Networks reported the vulnerability has been subject to "limited exploitation," noting observed activity specifically targets instances where the User-ID Authentication Portal has been left publicly accessible.

Vendor advisories, timing, and interim mitigations

The issue remains unpatched at the time of the advisory. Palo Alto Networks said it plans to release fixes starting May 13, 2026. Until patches are available, the company recommended immediate mitigations: either restrict User-ID Authentication Portal access to trusted zones only, or disable the portal entirely if it is not required.

As the vendor framed it, "Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks are at a greatly reduced risk."

What this means for PA-Series and VM-Series firewall administrators

Administrators of PA-Series and VM-Series devices that run the User-ID Authentication Portal face a narrow but urgent task: confirm whether the portal is enabled and whether it is reachable from untrusted networks. If the portal is publicly accessible, the advisory indicates exploitation has already been observed and the risk is materially higher; administrators should either restrict access to trusted internal IP ranges or disable the portal until the vendor’s fixes are applied.

The timeline is concrete: patches are scheduled to begin rolling out on May 13, 2026. Between now and that date, the choices are operational—limiting exposure by network controls or turning off the portal functionality—and monitoring for signs of compromise.

For readers who need the original advisory and full version list, see the source linked below.

Original advisory and reporting at The Hacker News

Buffer OverflowEmerging ThreatsNetwork SecurityPalo Alto NetworksRemote Code ExecutionZero-DayCVE-2026-0300PAN-OSFirewall Vulnerability
Related Intelligence

Continue Reading

Person typing on a keyboard with a blank laptop screen in front, face turned away.

Prinz Eugen Ransomware Targets Critical Files in Hands-On Attacks

Meet Prinz Eugen, a sneaky ransomware that uses hands-on tactics to target critical files, evading detection by deliberately leaving no ransom note behind. Its operators use stolen RDP credentials and remote monitoring tools to manually infiltrate and take control of systems.

Analyst 207
Financial sector setting with technology integration and cityscape in background.

Microsoft attributes Mastra AI supply chain attack to North Korean hackers Sapphire Sleet

Microsoft warns that a recent supply chain attack on the Mastra AI npm environment was carried out by Sapphire Sleet, a notorious North Korean hacking group known for targeting the financial sector. This latest incident is part of a larger pattern of attacks that exploit open-source distribution channels.

Analyst 207
WordPress dashboard screen with a highlighted API key field and a warning symbol nearby.

Hackers Exploit Gravity SMTP Plugin Bug to Expose API Keys

Malicious hackers are racing to exploit a vulnerability in the Gravity SMTP plugin, which has been installed on around 100,000 WordPress sites, to get their hands on sensitive API keys. Over 17 million exploit attempts have already been blocked by Wordfence, highlighting the urgent need for site owners to update to version 2.1.5.

Analyst 207
Rows of network equipment and devices on racks in a dimly lit, empty server room.

Credential Attacks Target Fortinet, Sophos, MSSQL Devices in Large-Scale Campaign

A large-scale password spraying and credential theft campaign, dubbed "FortiBleed," is targeting Fortinet devices, with attempts also seen against MSSQL services and Sophos devices, warns Unit 42. This coordinated attack has sparked concerns over widespread credential attacks.

Analyst 207