CVE-2026-0300: Critical PAN-OS Captive Portal Buffer Overflow Under Active Exploitation — Root RCE Confirmed

A critical unauthenticated remote code execution vulnerability in Palo Alto Networks PAN-OS has been catalogued under CVE-2026-0300, with active exploitation already confirmed in the wild. The flaw resides in the PAN-OS User-ID Authentication Portal—commonly referred to as Captive Portal—and stems from a buffer overflow weakness (CWE-787 / Out-of-bounds Write). Security researchers have assigned the vulnerability a CVSS score of 9.3 critical, reflecting the possibility of complete system compromise without any authentication or user interaction required.

The vulnerability affects multiple PAN-OS versions—specifically 10.2, 11.1, 11.2, and 12.1—when Captive Portal is exposed to untrusted networks. Attackers can send specially crafted packets to the exposed Authentication Portal service to trigger the overflow and execute arbitrary code with root-level privileges. PA-Series and VM-Series firewalls running the affected versions are vulnerable. Notably, Prisma Access, Cloud NGFW, and Panorama deployments are not impacted by this flaw. The exploit is marked as automatable, meaning attackers can reliably script large-scale exploitation campaigns.

Palo Alto Networks has released Threat ID 510019 as an interim mitigation for users running PAN-OS 11.1 and later. The primary recommended response is to restrict Authentication Portal access to trusted IP addresses only, eliminating exposure to external attackers. The vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog with a remediation deadline of May 9, 2026. Organizations running vulnerable PAN-OS versions should treat this as an emergency patching priority given confirmed in-the-wild attacks.