Palo Alto Networks has disclosed a critical buffer overflow vulnerability in PAN-OS software, tracked as CVE-2026-0300, that is already being actively exploited in the wild.<\/p>\n
The flaw carries a CVSS 4.0 score of 9.3 (CRITICAL) and allows unauthenticated attackers to execute arbitrary code with full root privileges on affected PA-Series and VM-Series firewalls, with no credentials, no user interaction, and no special conditions required.<\/p>\n
The vulnerability resides in the User-ID With a NETWORK attack vector, zero attack complexity, and no privileges required, this flaw is fully automatable, making it an ideal candidate for mass-exploitation campaigns.<\/p>\n The exploit maturity is classified as ATTACKED, with Palo Alto Networks confirming limited exploitation has already been observed targeting Authentication Portals exposed to untrusted IP addresses and the public internet.<\/p>\n The vulnerability impacts multiple PAN-OS versions across PA-Series and VM-Series firewalls. Affected branches include:<\/p>\n Notably, Prisma Access, Cloud NGFW, and Panorama appliances are not affected. The vulnerability only applies to firewalls with the User-ID When the Authentication Portal is internet-exposed, the CVSS score reaches its maximum threat tier at 9.3. Even in adjacent-network scenarios, the score remains a severe 8.7.<\/p>\n Successful exploitation results in high confidentiality, integrity, and availability impacts at the product level, effectively giving threat actors complete control over the targeted firewall.<\/p>\n The risk profile is particularly alarming given the concentrated value density of enterprise firewalls, which serve as critical network chokepoints.<\/p>\n Compromising a perimeter firewall can facilitate lateral movement, traffic interception, credential harvesting, and a full network takeover.<\/p>\n Palo Alto Networks has confirmed<\/a> that patches are rolling out between May 13 and May 28, 2026, depending on the PAN-OS branch. Until patches are applied, administrators should immediately take one of the following actions:<\/p>\n A Threat Prevention Signature for PAN-OS 11.1 and above was made available on May 5, 2026, providing an additional detection and blocking layer for organizations that have Threat Prevention licensed.<\/p>\n Security teams should audit their PAN-OS configurations immediately by navigating to Device > User Identification > Authentication Portal Settings to determine exposure.<\/p>\n Any portal accessible from the internet or untrusted zones should be treated as an emergency remediation priority, given confirmed in-the-wild exploitation of CVE-2026-0300.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Critical Palo Alto Firewalls Vulnerability Exploited in the Wild to Gain Root Access<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\u2122\"](\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/2122.png?ssl=1\")
Authentication Portal (also known as Captive Portal) service of PAN-OS. An unauthenticated remote attacker can send specially crafted packets to trigger an out-of-bounds write (CWE-787), causing a buffer overflow<\/a> that ultimately yields root-level code execution on the targeted firewall.<\/p>\nAffected Products<\/strong><\/h2>\n
\n
Authentication Portal explicitly enabled and accessible from untrusted networks.<\/p>\n\n
Authentication Portal entirely if it is not operationally required<\/li>\n<\/ul>\n