Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution

Palo Alto Networks has released an advisory warning that a critical buffer overflow vulnerability in its PAN-OS software has been exploited in the wild. The vulnerability, tracked as CVE-2026-0300, has been described as a case of unauthenticated remote code execution. It carries a CVSS score of 9.3

# Palo Alto PAN-OS Buffer Overflow Exploited in Wild: Immediate Patching Required

## The Threat

Palo Alto Networks has disclosed a critical buffer overflow vulnerability in PAN-OS that is actively being exploited by threat actors. Tracked as CVE-2026-0300, the flaw allows unauthenticated attackers to achieve remote code execution on affected firewalls—one of the most severe attack scenarios in network security.

The vulnerability exists in the User-ID Authentication Portal, a component that manages user identification and authentication for organizations relying on Palo Alto's threat prevention platform. When the portal is configured to accept inbound connections from the internet (a common configuration for remote workforce management), the vulnerable code path becomes accessible without credentials, enabling attackers to send specially crafted requests that overflow the buffer and execute arbitrary code on the device.

The active exploitation in the wild indicates this is not a theoretical vulnerability awaiting discovery—threat actors are already actively targeting organizations. The combination of network criticality (firewalls are typically positioned at the perimeter), ease of exploitation (no authentication required), and severity of impact (remote code execution) makes this one of 2026's most urgent security issues for enterprises running Palo Alto infrastructure.

## Severity and Impact

| Metric | Value |

|--------|-------|

| CVE ID | CVE-2026-0300 |

| CVSS Score | 9.3 (Critical) |

| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |

| Attack Complexity | Low |

| Authentication Required | None |

| Attack Vector | Network |

| Impact | Complete system compromise (confidentiality, integrity, and availability) |

A CVSS score of 9.3 places this in the critical category—the highest risk tier. The attack requires no authentication and can be performed over the network with minimal complexity, meaning any firewall instance with an internet-facing User-ID Authentication Portal is immediately at risk.

## Affected Products

Palo Alto PAN-OS versions vulnerable to CVE-2026-0300 include:

PAN-OS 10.x (prior to patched maintenance releases)

PAN-OS 11.x (prior to patched maintenance releases)

PAN-OS 12.x (select versions prior to patches)

Organizations running these versions with the User-ID Authentication Portal enabled for remote access should be considered compromised until patched or mitigated.

## Mitigations

### Immediate Actions (Priority 1)

Apply security updates: Palo Alto Networks has released patches for all affected versions. Organizations must prioritize deployment of these updates immediately, prioritizing internet-facing firewalls.

Restrict authentication portal access: If patching cannot be completed immediately, restrict the User-ID Authentication Portal to internal networks only. Disable inbound internet access to the portal until patches are applied. Organizations relying on remote access authentication should implement VPN tunneling to route authentication traffic through encrypted channels rather than exposing the portal directly to the internet.

Network segmentation: If the portal must remain internet-accessible, place the Palo Alto firewall behind an additional security layer or implement strict firewall rules limiting inbound traffic to the portal to known, trusted IP ranges only.

### Ongoing Hardening

Monitor firewall logs: Check authentication portal logs for signs of exploitation attempts. Look for unusual connection patterns, buffer overflow attempts, or unexpected process execution on the firewall OS.

Implement additional network monitoring: Deploy network detection and response (NDR) or intrusion prevention systems (IPS) to monitor traffic destined for affected firewalls. Exploit attempts may be detectable through signature-based detection.

Disable unnecessary services: If the User-ID Authentication Portal is not actively used, disable it entirely. Organizations that do not require this functionality eliminate the attack surface by disabling the component.

## References

Palo Alto Networks Security Advisory: https://security.paloaltonetworks.com/advisories/ (check for CVE-2026-0300)

NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2026-0300

CISA Alert: Check for inclusion in CISA's known exploited vulnerabilities catalog

---

Bottom Line for Security Teams: This is a "drop everything" priority. Treat CVE-2026-0300 like a zero-day for your organization—assume active targeting is occurring. Patch internet-facing Palo Alto firewalls within 24 hours, or restrict the authentication portal to internal networks immediately. If you cannot confirm your PAN-OS version or portal configuration, reach out to your Palo Alto support team or account representative for guidance. Delay in addressing this vulnerability carries severe risk of firewall compromise and potential network breach.

Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution

TL;DR – For the Busy Reader

Get threat alerts in your inbox