A critical vulnerability (CVE-2026-0300) has been identified in Palo Alto Networks PAN-OS that allows unauthenticated attackers to achieve remote code execution (RCE) with root privileges. The issue affects the User-ID Authentication Portal (Captive Portal) and is actively exploited in limited cases, particularly when exposed to untrusted networks or the public internet.
What is CVE-2026-0300?
The vulnerability is a buffer overflow in the User-ID Authentication Portal service. By sending specially crafted network packets, an unauthenticated attacker can trigger an out-of-bounds write condition, ultimately leading to arbitrary code execution with root privileges on affected devices. The attack requires no authentication, user interaction, or special conditions beyond network access.
Exploitation risk is significantly higher when the Authentication Portal is exposed externally. The service is typically used for user identification workflows (e.g., captive portals), but when accessible from the Internet or untrusted networks, it becomes an entry point for remote attackers. The vulnerability has a CVSS score of 9.3, and Palo Alto has stated that it has already seen limited in-the-wild exploitation targeting exposed instances.
Limited details have been published as of May 6, 2026. Wiz will continue to update this blogpost when additional details will come to life.
Which products are affected?
| Product | Version Branch | Vulnerable Versions | Fixed Version (ETA) |
|---|---|---|---|
| PAN-OS | 12.1 | < 12.1.4-h5 | 12.1.4-h5 (05/13) |
| PAN-OS | 12.1 | < 12.1.7 | 12.1.7 (05/28) |
| PAN-OS | 11.2 | < 11.2.4-h17 | 11.2.4-h17 (05/28) |
| PAN-OS | 11.2 | < 11.2.7-h13 | 11.2.7-h13 (05/13) |
| PAN-OS | 11.2 | < 11.2.10-h6 | 11.2.10-h6 (05/13) |
| PAN-OS | 11.2 | < 11.2.12 | 11.2.12 (05/28) |
| PAN-OS | 11.1 | < 11.1.4-h33 | 11.1.4-h33 (05/13) |
| PAN-OS | 11.1 | < 11.1.6-h32 | 11.1.6-h32 (05/13) |
| PAN-OS | 11.1 | < 11.1.7-h6 | 11.1.7-h6 (05/28) |
| PAN-OS | 11.1 | < 11.1.10-h25 | 11.1.10-h25 (05/13) |
| PAN-OS | 11.1 | < 11.1.13-h5 | 11.1.13-h5 (05/13) |
| PAN-OS | 11.1 | < 11.1.15 | 11.1.15 (05/28) |
| PAN-OS | 10.2 | < 10.2.7-h34 | 10.2.7-h34 (05/28) |
| PAN-OS | 10.2 | < 10.2.10-h36 | 10.2.10-h36 (05/13) |
| PAN-OS | 10.2 | < 10.2.13-h21 | 10.2.13-h21 (05/28) |
| PAN-OS | 10.2 | < 10.2.16-h7 | 10.2.16-h7 (05/28) |
| PAN-OS | 10.2 | < 10.2.18-h6 | 10.2.18-h6 (05/13) |
What is the risk to cloud environments?
While Wiz data indicates that 7% of environments have publicly exposed PAN-OS instances, Palo Alto Networks specifies that the vulnerability is within the User-ID Authentication Portal. Since this portal utilizes ports 6081 and 6082, the exposure of these specific ports is the primary metric for exploitability. Currently, Shodan identifies 67 exposed PAN-OS servers on port 6081, with none detected on port 6082.
What steps should security teams take?
Apply patches immediately once fixed versions become available for your PAN-OS release branch
Restrict access to the User-ID Authentication Portal to trusted internal IP addresses only
Disable the Authentication Portal if it is not required
Avoid exposing the portal to the internet or untrusted networks
How can Wiz help?
Wiz customers can use the pre-built queries and advisory in the Wiz Threat Intel Center to search for relevant instances in their environment.
