TT-CSIRT – 456.08.05.26 – CYBERSECURITY ADVISORY: Critical Palo Alto Networks PAN-OS Vulnerability (CVE-2026-0300)
CVE-2026-0300 is a critical buffer overflow vulnerability affecting the User-ID™ Authentication Portal (also known as the Captive Portal) service in PAN-OS. Successful exploitation may allow an unauthenticated remote attacker to execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls through specially crafted packets. Palo Alto Networks has confirmed that this vulnerability is being actively exploited in the wild.
Severity: Critical
CVSS Score: 9.3
Affected Product: Palo Alto Networks PAN-OS
Impact
Remote Code Execution (RCE): The vulnerability may allow unauthenticated attackers to execute arbitrary code with root privileges on affected PAN-OS devices.
Affected Services: The vulnerability impacts systems configured to use the User-ID™ Authentication Portal (Captive Portal).
Internet Exposure Risk: Systems with Authentication Portal services exposed to the internet or untrusted networks are at significantly higher risk of compromise.
Technical Details
Affected PAN-OS versions include:
• PAN-OS 10.2 versions earlier than 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7 and 10.2.18-h6
• PAN-OS 11.1 versions earlier than 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5 and 11.1.15
• PAN-OS 11.2 versions earlier than 11.2.4-h17, 11.2.7-h13, 11.2.10-h6 and 11.2.12
• PAN-OS 12.1 versions earlier than 12.1.4-h5 and 12.1.7
The vulnerability specifically affects systems configured with:
• User-ID Authentication Portal enabled
• Captive Portal exposed to the internet or untrusted networks
• Internet-facing firewall deployments
Indicators of Potential Compromise
Organizations should monitor for:
• Unexpected administrative account activity
• Suspicious outbound connections from firewall appliances
• Unknown scheduled tasks or processes
• Unauthorized configuration modifications
• Unusual authentication portal activity
• Unknown files or scripts present on the firewall appliance
Recommended Actions
TT-CSIRT strongly recommends that organizations:
• Immediately restrict Authentication Portal access to trusted internal IP addresses only
• Disable the Authentication Portal if not operationally required
• Apply vendor-issued hotfixes and software updates once available
• Update Threat Prevention signatures and security content
• Conduct urgent reviews of internet-facing PAN-OS deployments
• Review logs and indicators of compromise (IOCs) for suspicious activity
• Implement network segmentation and least privilege access controls
What To Do If Compromised
Organizations suspecting compromise should immediately:
• Disconnect affected devices from the network where operationally feasible
• Apply the latest vendor-issued security updates and hotfixes
• Reset administrative credentials and rotate passwords and API keys
• Review firewall and authentication logs for suspicious activity
• Conduct threat hunting activities for lateral movement across connected systems
• Isolate potentially affected endpoints and servers
• Restore systems from verified clean backups where necessary
• Preserve forensic evidence including logs and memory captures
• Engage incident response personnel and notify relevant stakeholders
Additional information and official remediation guidance can be found at:
• Palo Alto Networks Security Advisory – CVE-2026-0300
• NIST NVD – CVE-2026-0300
• CISA Known Exploited Vulnerabilities Catalog
If you have any queries, comments, require assistance or detect suspicious activity please feel free to contact TT-CSIRT via contacts@ttcsirt.gov.tt.
