Palo Alto Networks has disclosed CVE-2026-0300, a critical unauthenticated remote code execution vulnerability in PAN-OS — the operating system running across Palo Alto’s firewall and network security platform. The vulnerability, which carries a CVSS score of 9.3, resides in the User-ID authentication portal and has been under active exploitation by espionage-motivated threat actors since at least 9 April 2026. CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities catalogue on 6 May 2026, triggering a Federal Civilian Executive Branch patching deadline.
Technical Details
CVE-2026-0300 is a buffer overflow in PAN-OS’s User-ID authentication processing component. A remote, unauthenticated attacker can send a crafted request to the User-ID portal endpoint — which is intended to be network-accessible for authenticating users to GlobalProtect and Captive Portal — and trigger a heap corruption condition that leads to arbitrary code execution as root on the management plane.
The vulnerability is pre-authentication and does not require any credentials or prior access. Exploitation does not depend on any specific PAN-OS configuration beyond the default User-ID service being enabled — a condition present in the vast majority of production PAN-OS deployments used for network access control.
Exposure analysis indicates approximately 5,800 VM-Series firewall instances with internet-accessible User-ID portal services, though the vulnerability also affects hardware PA-Series appliances with equivalent configurations.
Active Exploitation and Attribution
Threat intelligence reporting places exploitation activity beginning in the week of 6–12 April 2026 — approximately three weeks before Palo Alto Networks became aware of the vulnerability through incident response investigations. The exploitation pattern is consistent with a targeted espionage campaign rather than opportunistic mass scanning:
- Initial exploitation used low-volume, targeted requests — not scanning-style spray-and-pray patterns visible in mass exploitation events
- Post-exploitation activity has involved deployment of a novel implant toolkit on compromised PAN-OS management planes, with capability to intercept VPN credentials transiting the firewall
- Victims identified to date include government agencies and defence contractors in Europe and Asia-Pacific, consistent with a nation-state espionage objective rather than financial motivation
No formal public attribution has been made by Palo Alto Networks or CISA. Threat intelligence firms tracking the campaign reference similarities to prior exploitation of network perimeter devices by China-nexus actors, though attribution confidence remains moderate.
Affected Versions and Remediation
Affected: PAN-OS versions prior to:
- 11.2.4
- 11.1.6
- 10.2.14
- 10.1.15
- 9.1.22
Patches are available across all supported branches. Apply the applicable patch immediately. For organisations unable to patch immediately, Palo Alto Networks recommends:
- Restrict User-ID portal access to trusted internal IP addresses — remove any internet-accessible exposure of the User-ID authentication endpoint via firewall access policies
- Enable Threat Prevention signatures for CVE-2026-0300 if available in your threat prevention subscription tier
- Review PAN-OS management plane logs for anomalous authentication requests to the User-ID endpoint from unexpected source addresses
Enterprise Implications
The combination of factors makes CVE-2026-0300 a particularly high-priority response item:
Perimeter device compromise is categorically different from endpoint compromise. An attacker with root execution on a PAN-OS management plane has access to the cryptographic material used for VPN sessions, can read decrypted traffic flowing through the device, can intercept GlobalProtect authentication credentials, and can manipulate firewall rules to create persistent inbound access. A compromised firewall provides substantially more capability than a compromised workstation.
PAN-OS firewalls are used specifically because they are trusted. Security monitoring architectures typically do not apply the same scrutiny to traffic sourced from firewall management infrastructure as to general internal hosts. An attacker embedded in a firewall management plane may operate with reduced detection probability.
Organisations running PAN-OS should treat this as an emergency patch window and, regardless of patch status, should review firewall VPN credential logs and management plane access logs for the period from 6 April 2026 to the date of patching.
Share this article