Palo Alto Networks PAN-OS CVE-2026-0300 — Exposed Captive Portals Face Critical RCE Risk
Finding: CVE-2026-0300 exposes PAN-OS User-ID Authentication Portals to unauthenticated RCE
Confidence: High
Palo Alto Networks’ advisory for CVE-2026-0300 describes a buffer overflow in the PAN-OS User-ID™ Authentication Portal, also known as Captive Portal. The vendor states that a remote unauthenticated attacker can execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets.
NHS England alert CC-4777 independently summarises the issue as unauthenticated remote code execution with root privileges on exposed Palo Alto PAN-OS firewalls. Palo Alto assigns CVSS v4.0 9.3 Critical severity and marks exploit maturity as attacked. This moves the item beyond a thin advisory queue and into immediate exposure triage.
Exploitation is limited, but exposed portals are the urgent risk boundary
Confidence: High
Palo Alto reports limited exploitation targeting User-ID Authentication Portals exposed to untrusted IP addresses or the public internet. NHS England states that Palo Alto is aware of limited in-the-wild exploitation and that NHS England National CSOC assesses further exploitation as highly likely.
The operational distinction matters. This is not a generic “all PAN-OS devices are equally exposed” story. The highest-risk condition is a PA-Series or VM-Series firewall configured to use User-ID Authentication Portal with response pages enabled on an interface reachable from untrusted or internet traffic.
Affected branches are PAN-OS 12.1, 11.2, 11.1, and 10.2 under specific portal exposure conditions
Confidence: High
Palo Alto lists affected PAN-OS release lines across 12.1, 11.2, 11.1, and 10.2, with fixed releases pending across multiple maintenance branches. The advisory states that Prisma Access, Cloud NGFW, and Panorama appliances are not impacted.
Affected organisations should verify both software branch and configuration. The exposure condition requires User-ID Authentication Portal to be enabled and an interface management profile with response pages enabled on an external or internet-accessible interface. Version checks alone are not enough if the portal remains reachable from untrusted networks.
Mitigation is available before patches land
Confidence: High
Palo Alto says fixes are planned in upcoming PAN-OS releases, with fixed-version ETAs listed for 13 May and 28 May 2026 depending on branch and maintenance line. NHS England similarly says patches are expected on 13 May and 28 May and strongly encourages affected organisations to apply them when released.
Until those patches are available, the control is configuration. Disable User-ID Authentication Portal if it is not required. If it is required, restrict access to trusted zones or trusted internal IP addresses and disable response pages on external Layer 3 interfaces where untrusted or internet traffic can ingress. Palo Alto also notes that customers with Threat Prevention can block attacks by enabling Threat ID 510019 from Applications and Threats content version 9097-10022, with PAN-OS 11.1 or later required for that Threat ID support.
Queue hygiene note: the 04:33 a13e review changes the low-confidence queue
Confidence: High
The earlier 03:25 daily brief predated the 2026-05-07 04:33 a13e review. That later review records that the previous BSI WID set, including WID-SEC-2026-1366, 1383, 1379, 1363, 1381, 1377, 1380, and 1370, was already excluded or ledgered. Those items should not be presented as the freshest queue without that caveat.
The 04:33 a13e review instead promotes six newer low-confidence inventory items: Keycloak WID-SEC-2026-1330, Asterisk/pjproject WID-SEC-2026-1378, Dell BIOS WID-SEC-2026-1382, Django WID-SEC-2026-1373, MinIO WID-SEC-2026-1376, and Kernel WID-SEC-2026-1385. the 04:33 review rates all six as LOW confidence / UNVERIFIED single-source BSI advisories with no confirmed active exploitation, IOCs, or named victims in the available corpus.
Why This Matters
CVE-2026-0300 combines three traits that should trigger fast action: exposed edge infrastructure, unauthenticated remote code execution, and root-level impact. The existence of limited exploitation means teams should not wait for patch availability before reducing exposure.
The rest of the day’s queue is different. Keycloak, Asterisk/pjproject, Dell BIOS, Django, MinIO, and Kernel entries are useful inventory prompts, not emergency findings. Treating those low-confidence BSI items with the same urgency as CVE-2026-0300 would blur the response priority.
- Recommended Actions
- Identify PA-Series and VM-Series firewalls running PAN-OS 12.1, 11.2, 11.1, or 10.2.
- Check whether User-ID Authentication Portal/Captive Portal is enabled.
- Confirm whether response pages are enabled on any external or internet-accessible Layer 3 interface.
- Disable User-ID Authentication Portal where it is not required.
- Where the portal is required, restrict access to trusted zones or trusted internal IP addresses and remove response-page exposure from untrusted ingress paths.
- Track Palo Alto fixed releases expected on 13 May and 28 May 2026 and schedule branch-appropriate patching when available.
All findings grounded in a13e intelligence sweeps through 04:33 UTC 07 May 2026.