Critical Unauthenticated RCE in Palo Alto Networks PAN‑OS (CVE‑2026‑0300) Threatens Siemens RUGGEDCOM APE1808 Devices
What It Is — A buffer‑overflow in the User‑ID Authentication Portal (Captive Portal) of PAN‑OS permits an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The flaw is tracked as CVE‑2026‑0300 and carries a CVSS v3.1 base score of 10.0 (Critical).
Exploitability — Publicly disclosed; proof‑of‑concept packets have been published in Palo Alto’s security advisory. No confirmed ransomware campaign, but the vulnerability is exploitable in the wild against any unpatched PA‑Series or VM‑Series firewall that terminates traffic for the Siemens device.
Affected Products — Siemens RUGGEDCOM APE1808 devices (all firmware versions) that embed PAN‑OS, and Palo Alto Networks PA‑Series and VM‑Series firewalls running vulnerable PAN‑OS releases.
TPRM Impact — The devices are deployed in critical manufacturing and other industrial control environments worldwide. A successful exploit grants full control of the firewall, enabling lateral movement, data exfiltration, or sabotage of downstream OT systems—representing a high‑severity supply‑chain risk for any organization that trusts Siemens as a network‑infrastructure provider.
Recommended Actions —
- Identify the PAN‑OS version on every Siemens RUGGEDCOM APE1808 unit.
- Apply Siemens‑provided interim work‑arounds (e.g., disable the User‑ID Captive Portal) until a patched PAN‑OS release is available.
- Prioritize deployment of the forthcoming Siemens fix versions as soon as they are released.
- Conduct a rapid risk assessment of downstream OT assets protected by the affected firewalls and consider temporary network segmentation.
- Continuously monitor CISA and Palo Alto Networks advisories for updated indicators of compromise.
Source: CISA Advisory – ICSA‑26‑139‑02