HOMEVULNERABILITIESCVE-2026-0300
CRITICALCISA KEVIN THE WILD

CVE-2026-0300

Published: May 6, 2026· Updated: May 12, 2026

9.8
CVSS v3.1

Official Description

A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.

The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses.

Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.

NVD Source

Technical Analysis

CVE-2026-0300 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 9.8.

CISA has added CVE-2026-0300 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Palo Alto Networks48 products
pan-ospa-1410pa-1420pa-3410pa-3420pa-3430pa-3440pa-410pa-410rpa-410r-5gpa-415pa-415-5g+36 more
siemens2 products
ruggedcom ape1808 firmwareruggedcom ape1808
Source: NVD CPE · 100 total CPE entries

Exploit & PoC Resources

ACTIVE EXPLOITATIONConfirmed exploitation in the wild
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

News & Research Mentioning CVE-2026-0300

Siemens RUGGEDCOM APE1808 Devices
CISA Alerts· May 19, 2026

View CSAF Summary A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks' upstream security notifications. [1] https://security.paloaltonetworks.com/ The following versions of Siemens RUGGEDCOM APE1808 Devices are affected: RUGGEDCOM APE1808 vers:all/* (CVE-2026-0300) CVSS Vendor Equipment Vulnerabili [xlite_meta score:79 src:CISA Alerts xlite_fp:fe607eef66f33ada84aa394adac32b07371e853e96c3c56024740709c1f0590a]

PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage
The Hacker News· May 7, 2026

Palo Alto Networks has disclosed that threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as early as April 9, 2026. The vulnerability in question is CVE-2026-0300 (CVSS score: 9.3/8.7), a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software that could allow an unauthenticated attacker [xlite_meta score:56 src:The Hacker News xlite_fp:24c804912bc1356bebb0959ba55d1f9f331ffcb5a99624933ca591128183b0d4]

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
Palo Alto Unit 42· May 6, 2026

Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details. The post Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution appeared first on Unit 42. [xlite_meta score:70 src:Palo Alto Unit 42 xlite_fp:093b4dff5f41a01194d26087ab457e655cce83fa8e61f1950cb9628b87ecc3b5]

Palo Alto warns of critical software bug used in firewall attacks
The Record· May 6, 2026

A patch for the bug, tracked as CVE-2026-0300, has not been published yet and Palo Alto Networks said it will be included in releases over the next two weeks. [xlite_meta score:56 src:The Record xlite_fp:19b3d2f36c9ebfc1be9ab73c2af04b0c22494a18453e461d5035f7cd18572f49]

CISA Adds One Known Exploited Vulnerability to Catalog
CISA Alerts· May 6, 2026

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-0300 Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks again [xlite_meta score:48 src:CISA Alerts xlite_fp:1a1f63c4c6804b972c9efdf97880922c53b701c884141dc30ac9c0de3ec6e9ab]

Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution
The Hacker News· May 6, 2026

Palo Alto Networks has released an advisory warning that a critical buffer overflow vulnerability in its PAN-OS software has been exploited in the wild. The vulnerability, tracked as CVE-2026-0300, has been described as a case of unauthenticated remote code execution. It carries a CVSS score of 9.3 if the User-ID Authentication Portal is configured to enable access from the internet or any [xlite_meta score:50 src:The Hacker News xlite_fp:034269734079269531f8d4d37db1c6c27f8347dde084ba6f5fe70b654e53612d]

Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls
SecurityWeek· May 6, 2026

CVE-2026-0300 affects the Captive Portal service of PAN-OS software on PA and VM series firewalls. The post Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls appeared first on SecurityWeek. [xlite_meta score:62 src:SecurityWeek xlite_fp:92ae1676956211fc2852143b7fbdfe57a2a1d6fc5df26b9ac4972c24b1060954]

All References (3)

Quick Facts

CVE IDCVE-2026-0300
CVSS Score9.8 / 10
SeverityCRITICAL
CISA KEVYES — Active Exploitation
ExploitIN THE WILD
Affected2 vendors
PublishedMay 6, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-0300 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
  • !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
  • !Active exploitation confirmed — treat as P1
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.
CVE-2026-0300 — CVSS 9.8 CRITICAL | CTIWATCH.COM