- May 5, 2026
Critical Vulnerability in PaloAlto PAN-OS Authentication Portal (CVE-2026-0300)
On May 6th, Palo Alto Networks announced CVE-2026-0300, an authentication bypass vulnerability in their PAN-OS which allows an unauthenticated attacker to bypass authentication and remotely execute code as root on PAN-OS PA-Series and VM-Series firewalls.
Executive Summary
On May 6th, Palo Alto Networks released an advisory for an authentication bypass vulnerability in their PAN-OS software related to their Captive Portal “User-ID™ Authentication Portal”. The vulnerability (CVE-2026-0300) allows an unauthenticated attacker to bypass authentication and remotely execute code as root on PAN-OS PA-Series and VM-Series firewalls. Palo Alto Networks has identified attacks against their systems in the wild, and at the time of writing has not released a patch for the affected systems.
Beazley Security and Palo Alto Networks advise either disabling or limiting access to the Captive Portal to trusted internal IP addresses as per their security guidelines updated on May 5th 2026.
Affected Systems or Products
This vulnerability was found on PAN-OS User-ID™ Authentication Portal web interfaces, affecting specific versions of the PAN-OS software. Palo Alto Networks has included estimated release dates for the patch releases for specific versions included in this table. Please reference the table below for additional details.
Product | Affected Version | Fixed Version |
|---|---|---|
PAN-OS 12.1 | < 12.1.4-h5 < 12.1.7 | >= 12.1.4-h5 (ETA: 05/13) >= 12.1.7 (ETA: 05/28) |
PAN-OS 11.2 | < 11.2.4-h17 < 11.2.7-h13 < 11.2.10-h6 < 11.2.12 | >= 11.2.4-h17 (ETA: 05/28) >= 11.2.7-h13 (ETA: 05/13) >= 11.2.10-h6 (ETA: 05/13) >= 11.2.12 (ETA: 05/28) |
PAN-OS 11.1 | < 11.1.4-h33 < 11.1.6-h32 < 11.1.7-h6 < 11.1.10-h25 < 11.1.13-h5 < 11.1.15 | >= 11.1.4-h33 (ETA: 05/13) >= 11.1.6-h32 (ETA: 05/13) >= 11.1.7-h6 (ETA: 05/28) >= 11.1.10-h25 (ETA: 05/13) >= 11.1.13-h5 (ETA: 05/13) >= 11.1.15 (ETA: 05/28) |
PAN-OS 10.2 | < 10.2.7-h34 < 10.2.10-h36 < 10.2.13-h21 < 10.2.16-h7 < 10.2.18-h6 | >= 10.2.7-h34 (ETA: 05/28) >= 10.2.10-h36 (ETA: 05/13) >= 10.2.13-h21 (ETA: 05/28) >= 10.2.16-h7 (ETA: 05/28) >= 10.2.18-h6 (ETA: 05/13) |
Prisma Access | None | All |
Mitigations / Workarounds
The highest risk exposure exists when the User-ID Authentication Portal is enabled and reachable from the public internet. Palo Alto advises that users running affected versions of PAN-OS either:
Restrict access to the Captive Portal to trusted zones, referencing their Captive Portal knowledge base article and their Live Community Article.
Disable the Captive Portal entirely if not required
Palo Alto networks released a threat prevention signature to help detect attacks. Administrators should ensure that threat prevention is enabled to help reduce risk.
Patches
At the time of writing, no patches exist for the vulnerable PAN-OS instances. We will update this advisory with updates as they are released.
Indicators of Compromise
Considering this vulnerability provides root access to a networking system which would provide logs indicating compromise; we can’t provide IoCs for users to determine if their system was previously attacked and compromised.
Technical Details
While details on the vulnerability are sparse, Palo Alto has indicated in their report that the attack involves a buffer overflow and out of bounds write. CVE-2026-0300 is a flaw that exists within Palo’s User-ID Authentication Portal, also referred to as the Captive Portal service.
Palo Alto has confirmed that the vulnerability is being actively exploited in the wild, however at the time of writing no attribution to a specific threat actor or campaign has been publicly released.
The flaw is pre-authentication and reachable by attackers from the network if the Captive Portal is enabled. The highest risk scenario exists if the portal is exposed directly to the internet. When access to the portal is restricted to internal zones, the attack vector narrows to adversaries that must be present on those network segments.
The published advisory from Palo Alto Networks states that successful exploitation of this vulnerability grants the attacker root access on the host. This implies that successful attacks could be used to modify the host to allow attacker control in the future, outside of existing PAN-OS features, including the deletion of logs that would be used to identify a breach took place.
Given active exploitation in the wild, Beazley Security strongly recommends either disabling the Captive Portal if not required, or restricting access to only trusted networks until patches are made available by Palo Alto.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.