Critical unauthenticated buffer overflow vulnerability in Palo Alto PAN-OS User-ID Authentication Portal allowing remote code execution with root privileges. Already under active exploitation in the wild against internet-facing firewalls.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2026-05-06
Added to CISA KEV: 2026-05-06 0 DAY BETWEEN CVE AND KEV
CVE-2026-0300 exploited via public PAN-OS portal before May 13, 2026 patch, enabling root RCE on firewalls. ... The vulnerability, tracked as CVE-2026-0300, has been described as a case of unauthenticated remote code execution. It carries a CVSS score of ... ... CVE-2026-0300 exploited via public PAN-OS portal before May 13, 2026 patch, enabling root RCE on firewalls.Palo Alto Networks has released an advisory warning that a critical buffer overflow vulnerability in its PAN-OS software has been exploited in the wild. The vulnerability, tracked as CVE-2026-0300, has been described as a case of unauthenticated remote code execution.
Limited exploitation has been observed targeting Palo Alto Networks User-ID™ Authentication Portals that are exposed to untrusted IP addresses ... ... Exploit Maturity ATTACKED. Response Effort MODERATE. Recovery USER. Value Density CONCENTRATED. Attack Vector NETWORK. Attack Complexity LOW. Attack Requirements NONE. Automatable YES.Limited exploitation has been observed targeting Palo Alto Networks User-ID™ Authentication Portals that are exposed to untrusted IP addresses and/or the public internet.
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
Exploitation Status: Active and Limited, Targeting Public-Facing Portal Instances Palo Alto Networks confirmed that active exploitation of CVE-2026-0300 has been detected, described as limited and targeting internet-accessible Captive Portal configurations. No specific victim organizations were named in the disclosure.
An attacker can exploit this flaw by sending malicious packets over any network path that reaches the User‑ID™ Authentication Portal; thus the attack vector is inferred to be network‑based from an unauthenticated source. Generated by OpenCVE AI on May 6, 2026 at 21:38 UTC. cve-icon Mitre Data.No EPSS score available. Exploitation active. Automatable yes. Technical Impact total.