CVE-2026-0300 (Pending) – Palo Alto PAN‑OS Unauthenticated Buffer Overflow in User‑ID™ Authentication Portal (Actively Exploited) 

Classification: Unrestricted Distribution  

Report Generated: 2026-05-06 10:00 UTC  

Source(s): Palo Alto Networks Security Advisory (CVE‑2026‑0300-Pending)   

  

Threat Alert 

[!CAUTION] A critical unauthenticated buffer overflow in the PAN‑OS User‑ID™ Authentication Portal (CVE‑2026‑0300) is being actively exploited. The flaw allows remote attackers to execute arbitrary code with root privileges, effectively taking full control of PA‑Series and VM‑Series firewalls. 

Executive Summary 

• Vulnerability: Unauthenticated user‑initiated buffer overflow (CWE‑787, CAPEC‑100) in the User‑ID™ Authentication Portal. 

• Impact: Remote code execution with root privileges, then full firewall compromise, policy bypass, data exfiltration. 

• Exploit Maturity: ACTIVE ATTACK – Exploitation: Limited but confirmed exploitation observed in the wild; attackers are scanning for open portals and delivering the overflow payload. 

• Exposure: PAN‑OS VM‑Series firewalls publicly reachable. Only devices with the portal enabled and an interface management profile exposing response pages are vulnerable. 

• Mitigation: Restrict portal to trusted zones or disable it; patches expected May 13-28 2026. 

• Likelihood of wider abuse: High, due to the exploit only requiring network access and no credentials. 
   

• Public exploit: Not yet released, but a proof‑of‑concept is expected to appear soon given the public disclosure. 

Vulnerability Details 

Field	Value
CVE ID	CVE‑2026‑0300
Vendor	Palo Alto Networks
Product	PAN‑OS (User‑ID™ Authentication Portal/ Captive Portal) – PA‑Series, VM‑Series firewalls
Published	2026‑05‑05
Last Modified	2026‑05‑06
Severity	CRITICAL
CVSS v4.0 Base Score	9.3 (Not Yet Approved/Published)(Vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/AU:Y/R:U/V:C/RE:M/U:Red)
Exploit Maturity	ATTACKED
CWE(s)	CWE‑787 (Out‑of‑bounds Write) – primary; also CAPEC‑100 Overflow Buffers. Related to CWE‑1390, CWE‑35, CWE‑121(Stack‑Based Buffer Overflow) – primary weakness; also aligns with CWE‑20 (Improper Input Validation).

Affected Systems & Versions 

Platform	Affected Models (when portal enabled)
PA‑Series	PA‑500, PA‑800, PA‑3000, PA‑5200, etc.
VM‑Series	All virtual firewalls running PAN‑OS 9.x‑10.x that have the portal enabled and are reachable from untrusted networks.
CN‑Series (Consolidated)	CN‑2500, CN‑5000 (when portal is active).

PAN‑OS versions vulnerable (pre‑patch): 

PAN‑OS Version Range	Status	Patch ETA
12.1 < 12.1.4‑h5	Vulnerable	May 13 2026
< 12.1.7	Vulnerable	May 28 2026
11.2 < 11.2.4‑h17	Vulnerable	May 28 2026
< 11.2.7‑h13	Vulnerable	May 13 2026
< 11.2.10‑h6	Vulnerable	May 13 2026
< 11.2.12	Vulnerable	May 28 2026
11.1 < 11.1.4‑h33	Vulnerable	May 13 2026
… (full table continues – see advisory)

Note: Prisma Access, Cloud NGFW, and Panorama appliances are not affected. 

Required Configuration for Exposure 

The vulnerability is exploitable only when both conditions are true: 

1. User‑ID™ Authentication Portal enabled (Device → User Identification → Authentication Portal Settings → Enable Authentication Portal). 

2. Interface Management Profile with Response Pages enabled on an external/internet‑facing interface. 

If either condition is not met, the portal cannot be abused. 

Workarounds & Mitigations 

1. Restrict portal access to trusted zones only – create firewall rules that allow traffic to the portal solely from internal networks or VPNs. 

2. Disable Response Pages in the Management Interface Profile for any untrusted (Internet‑facing) interface. 

3. Disable the Authentication Portal entirely if not required (Enable Authentication Portal → Disabled). 

4. Threat Prevention – enable Threat ID 510019 (Applications and Threats content version 9097‑10022) to block known exploit traffic (requires PAN‑OS 11.1+). 

Threat Context & Real‑World Risk 

Actor	Motivation	Likelihood
Cyber‑crime	Deploy ransomware or sell compromised firewalls on underground markets.	High – low skill required.
APT groups	Gain persistent foothold in high‑value networks (e.g., finance, critical infrastructure).	Medium – may develop custom payloads.
Script kiddies / opportunists	Deface or cause denial‑of‑service for notoriety.	High – low skill barrier.

Business Impact: A compromised firewall can block legitimate traffic, expose internal services, or be used as a pivot point for further attacks.  

Data Exposure: Full admin control enables theft of logs, VPN credentials, and other sensitive data. 

Regulatory Consequences: Full firewall compromise can lead to data exfiltration, traffic manipulation.  Breaches involving firewalls may trigger compliance violations (PCI‑DSS, GDPR, etc.). 

Technical Analysis 

Root Cause 

The User‑ID Authentication Portal parses incoming HTTP requests and forwards them to an internal authentication service. A missing bounds check on a request buffer allows an attacker to overflow the stack, overwriting the return address and gaining root execution on the underlying PAN‑OS kernel. 

Attack Surface & Exploitation Mechanism 

• Discovery – Scan for firewalls with the Authentication Portal enabled on a public IP (common ports: 80/443). 
   

• Payload Delivery – Send a specially crafted HTTP request containing an overlong header/value that triggers the overflow. 
   

• Code Execution – The overwritten return address points to attacker‑controlled shellcode, which spawns a root‑level reverse shell or runs arbitrary commands. 

• Post‑Exploitation – With full firewall control, the adversary can: 

• Modify security policies to allow traffic through the perimeter. 

• Exfiltrate logs and credentials. 

• Deploy additional malware inside the protected network. 

Exploit Chain: 

Indicators of Compromise (IoCs) 

Network Indicators 

Indicator Type	Example
HTTP request	GET /authportal/* or any HTTP request to the Authentication Portal on ports 80/443 from external IP ranges with unusually long header (>1 KB).
Payload pattern	Binary data containing out‑of‑bounds write markers (0x41…) in the request body.
Outbound C2	Unexpected reverse‑shell connections from the firewall to unknown remote IPs (e.g., port 4444, 5555).

Host Indicators 

Indicator	Description
Process crash / reboot	PAN‑OS kernel panic logged shortly after a portal request./ Sudden restart of PAN‑OS services or kernel panics logged in /var/log/pan.log.
Log entry	“Authentication portal request malformed” or “buffer overflow detected” messages.
File changes	Unexpected modifications to /etc/passwd, /opt/pancfg/mgmt/ directories.
New admin account	Unexpected privileged user added to the firewall configuration.

Detection Signature (Sigma) 

title: Palo Alto User-ID Authentication Portal Buffer Overflow (CVE‑2026‑0300) 
id: 5d9c3a7e-4b2f-41a8-a1f6-f3c9e2d4b7a0 
status: experimental 
description: Detects suspicious HTTP requests to the User-ID Authentication Portal that may indicate exploitation of CVE‑2026‑0300. 
author: Dataprise Labs 
date: 2026-05-06 
logsource: 
  product: paloalto 
  service: firewall 
detection: 
  selection: 
    EventID: 2001               # Example ID for portal access (vendor specific) 
    Message|contains: ‘/authportal/’ 
    Message|regex: ‘(?i)^[A-Z]{3,}\s+/authportal/.*.{1024,}’ 
  condition: selection 
falsepositives: 
  – Legitimate captive‑portal usage from trusted internal networks. 
level: high 

References & Further Reading 

Resource	Description
Palo Alto Networks Security Advisory – CVE‑2026‑0300	https://security.paloaltonetworks.com/CVE-2026-0300
Shadowserver Internet‑exposed VM‑Series scan	Public telemetry showing >5,800 exposed firewalls.
CWE‑787 – Out‑of‑bounds Write	https://cwe.mitre.org/data/definitions/787.html
CAPEC‑100 – Overflow Buffers	https://capec.mitre.org/data/definitions/100.html
Related Weaknesses	CWE‑1390 (Weak Authentication), CWE‑35 (Path Traversal), CWE‑121 (Stack‑Based Buffer Overflow)

Report generated by Dataprise – Dallas Myers | 2026‑05‑06 10:00 UTC | Classification: TLP:WHITE