Critical Remote Code Execution Vulnerability in Palo Alto Networks PAN‑OS Authentication Portal (CVE‑2026‑0300) Threatens Enterprise Firewalls
What Happened — A buffer‑overflow flaw (CVE‑2026‑0300) in the PAN‑OS Authentication (Captive) Portal allows an unauthenticated attacker to send crafted packets that execute arbitrary code with root privileges on PA‑Series and VM‑Series firewalls. Limited exploitation has already been observed against portals exposed to untrusted networks.
Why It Matters for TPRM —
- Firewalls are core security controls for most third‑party vendors; a compromise can cascade to downstream customers.
- The vulnerability affects multiple PAN‑OS versions still in widespread production, increasing exposure across sectors.
- No patch is available yet; organizations must rely on mitigations that may be overlooked in vendor contracts.
Who Is Affected —
- All industries that deploy Palo Alto Networks next‑generation firewalls (government, finance, healthcare, retail, etc.).
- Managed Security Service Providers (MSSPs) and cloud‑hosted environments that expose the User‑ID Authentication Portal to the internet.
Recommended Actions —
- Verify that the User‑ID Authentication Portal is restricted to trusted internal zones or disabled if not required.
- Review vendor contracts for firewall management clauses and ensure the provider follows the recommended workaround.
- Prioritize patch deployment once Palo Alto releases the fix (expected 2026‑05‑13).
- Conduct a rapid risk assessment of any exposed portals in your environment and update network segmentation policies.
Technical Notes — The flaw resides in the Authentication Portal service of PAN‑OS 10.2‑12.1 series (multiple sub‑versions). Exploitation leverages a public‑facing application buffer overflow (T1190) to gain root on the appliance. No CVE‑linked patch exists; Palo Alto recommends restricting portal access or disabling the service as a temporary mitigation. Source: CIS Advisories