PAN-OS RCE CVE-2026-0300 exploited in the wild

What Happened

Palo Alto Networks has confirmed active exploitation of a critical buffer overflow vulnerability in PAN-OS, tracked as CVE-2026-0300. The flaw resides in the User-ID Authentication Portal and allows unauthenticated remote code execution on affected firewall appliances. The company issued an advisory on Tuesday warning customers that attacks are underway, with no patch currently available. A mitigation involves restricting access to the User-ID portal via management interface controls.

Why It Matters

PAN-OS powers Palo Alto’s firewall lineup, which is deployed across thousands of enterprise networks, data centers, and government environments. An RCE vulnerability in the User-ID component is particularly dangerous because it exposes a critical control plane function: User-ID is responsible for mapping user identities to traffic, meaning an exploit could let attackers pivot from the portal to gain administrative control over the firewall itself. For organizations relying on these devices as network security gateways, a compromise means attackers could disable rules, inspect or drop encrypted traffic, and move laterally undetected. The active exploitation raises the urgency significantly - this is not a theoretical issue.

Technical Details

CVE-2026-0300 is a buffer overflow in the PAN-OS User-ID Authentication Portal, which processes login requests from Active Directory or LDAP sources. An attacker can send specially crafted HTTP requests to the portal, triggering memory corruption that leads to code execution with the privileges of the httpd process. No authentication is required. The vulnerability affects all PAN-OS versions prior to the yet-to-be-released fixed versions (exact version numbers pending). The attack vector is network-based over TCP port 8080 (default for the portal) or alternate configured ports. Indicators of compromise (IOCs) are limited, but Palo Alto recommends monitoring for unusual HTTP POST requests to the User-ID endpoint and subsequent outbound connections from the firewall to unknown IPs.

Immediate Risk

The risk is high for any organization running a Palo Alto firewall with the User-ID Authentication Portal exposed to untrusted networks. While Palo Alto has historically advised restricting management access to trusted IPs, many deployments expose the portal for remote users or branch connectivity. Mitigation involves using the PAN-OS policy engine to block access to the portal from untrusted sources, or disabling it entirely if not needed. However, blocking the portal may disrupt authentication services for remote users. Palo Alto has not yet provided a patch target date, so affected organizations should implement the workaround immediately and prepare for an emergency update. No patch bypasses exist yet, but the publicity of the flaw will likely accelerate reverse engineering by threat actors.

Security Insight

This incident mirrors the 2024 PAN-OS RCE vulnerability (CVE-2024-3400) in execution pattern - both were critical, unpatched on disclosure, and exploited for initial access by state-sponsored groups. The recurring theme is that user-facing authentication portals on network edge devices represent a systemic blind spot in patch management. Security teams should inventory any such portals - VPN gateways, captive portals, identity agents - and either decouple them from administrative networks or implement strict fail-closed access rules. Waiting for the patch alone is insufficient; assume the workaround is the only barrier until the fix arrives.

Further Reading

• Latest Security News
• CVE Advisories
• Data Breach Reports