Overview
- Palo Alto Networks, which disclosed the flaw Wednesday, said attackers are using it in limited hits on authentication portals left open to the internet.
- The bug, tracked as CVE-2026-0300, is a buffer overflow in the User-ID Authentication (captive) portal that lets an unauthenticated attacker run code as root on PA-Series and VM-Series firewalls.
- Only PA- and VM-Series devices that use the User-ID portal are in scope, while Prisma Access, Cloud NGFW, and Panorama appliances are not affected.
- Until patches arrive, the company urges admins to restrict the portal to trusted internal IPs or disable it, which can be done in Device > User Identification > Authentication Portal Settings.
- Fixes begin May 13 with further releases around May 28, a timeline underscored by CISA adding the flaw to its KEV list and Shadowserver counting more than 5,800 publicly reachable VM-Series firewalls.