Overview
- Palo Alto’s CVE-2026-0300 was added to CISA’s Known Exploited Vulnerabilities catalog Wednesday, and agencies were told to remediate by Saturday, May 9.
- A buffer overflow in the User-ID Authentication Portal lets unauthenticated attackers run code as root on PA-Series and VM-Series firewalls, a flaw rated 9.3 in severity when the portal is internet-exposed.
- Palo Alto said exploitation remains limited and targets portals reachable from the public internet or untrusted IPs, and it urged admins to restrict access or disable the feature until fixes land.
- The company plans two patch waves, with initial PAN-OS updates due Wednesday, May 13, and a second round expected near May 28.
- Palo Alto’s Unit 42 observed attempts beginning April 9 that led to a successful breach a week later, and Shadowserver now sees over 5,400 VM-Series devices exposed online, a level that could invite broader abuse.