🔴 CVE-2026-0300

Critical unauthenticated buffer overflow vulnerability in Palo Alto PAN-OS User-ID Authentication Portal allowing remote code execution with root privileges. Already under active exploitation in the wild against internet-facing firewalls.

← Back to Overview
HIGH_RISK
Risk Level
9.3
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-05-06

Added to CISA KEV: 2026-05-06 0 DAY BETWEEN CVE AND KEV

🌐 Internet Exposure (Shodan): 135k+ internet-facing instances →
Query: http.title:"GlobalProtect Portal"   View on Shodan ↗
This counts internet-facing PAN-OS devices via the GlobalProtect portal fingerprint. The vulnerable User-ID Authentication Portal runs on the same devices but is not directly indexed by Shodan, so this is a best-available estimate of the exposed population.
Checked: 2026-06-04

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-05-07)

CVE-2026-0300 is a critical vulnerability affecting Palo Alto Networks PAN-OS software, specifically within the User-ID™ Authentication Portals (also known as Captive Portal) [1][6]. This vulnerability has been observed to be actively exploited in the wild [3][6].

Key details regarding its exploitation include:

  • Internet-Facing Applications/Services: The vulnerability specifically targets User-ID™ Authentication Portals that are exposed to untrusted IP addresses and/or the public internet [2][4].
  • Evidence of Active Exploitation: CISA has added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation [3]. Exploitation is described as active and limited [4][5].
  • Attack Vectors and Exploitation Methods: The vulnerability is a case of unauthenticated remote code execution (RCE) [1]. An attacker can exploit this flaw by sending malicious packets over any network path that reaches the User-ID™ Authentication Portal. The attack vector is network-based from an unauthenticated source, with low attack complexity and no specific requirements [2][5]. It is a buffer overflow vulnerability [6].
  • Targeted Attacks: While active exploitation has been detected, no specific victim organizations have been named in the disclosures [4].
  • CISA Known Exploited Vulnerabilities Status: CVE-2026-0300 has been added to the CISA KEV Catalog [3]. Organizations are advised to use this catalog for vulnerability management prioritization [7].
  • Technical Details about Internet Exploitability: The vulnerability allows for root RCE on firewalls [1]. It is described as an unauthenticated user-initiated buffer overflow [2]. The exploit is automatable [2][5].

Sources

  1. Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code ...

    CVE-2026-0300 exploited via public PAN-OS portal before May 13, 2026 patch, enabling root RCE on firewalls. ... The vulnerability, tracked as CVE-2026-0300, has been described as a case of unauthenticated remote code execution. It carries a CVSS score of ... ... CVE-2026-0300 exploited via public PA…

  2. CVE-2026-0300 PAN-OS: Unauthenticated user initiated Buffer ...

    Limited exploitation has been observed targeting Palo Alto Networks User-ID™ Authentication Portals that are exposed to untrusted IP addresses ... ... Exploit Maturity ATTACKED. Response Effort MODERATE. Recovery USER. Value Density CONCENTRATED. Attack Vector NETWORK. Attack Complexity LOW. Attack…

  3. CISA Adds One Known Exploited Vulnerability to Catalog | CISA

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  4. Palo Alto CVE-2026-0300 Under Active Attack — Patch Due May 13

    Exploitation Status: Active and Limited, Targeting Public-Facing Portal Instances Palo Alto Networks confirmed that active exploitation of CVE-2026-0300 has been detected, described as limited and targeting internet-accessible Captive Portal configurations. No specific victim organizations were name…

  5. CVE-2026-0300 - Vulnerability Details - OpenCVE

    An attacker can exploit this flaw by sending malicious packets over any network path that reaches the User‑ID™ Authentication Portal; thus the attack vector is inferred to be network‑based from an unauthenticated source. Generated by OpenCVE AI on May 6, 2026 at 21:38 UTC. cve-icon Mitre Data.No EPS…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed