InfoSecBulletin Cybersecurity for mankind
Palo Alto Networks is fixing a serious PAN-OS zero-day flaw that was used to hack some of its firewall. Tracked as CVE-2026-0300, this issue is a buffer overflow that affects the User-ID Authentication Portal (Captive Portal) service of PAN-OS software.
“Limited exploitation has been observed targeting Palo Alto Networks User-ID Authentication Portals that are exposed to untrusted IP addresses and/or the public internet,” Palo Alto Networks said in an advisory.
OpenAI unveils its first custom chip, Named Jalapeño
Bajaj Auto System Hit by a Ransomware Attack
Cisco Unified CM flaw CVE-2026-20230 exploited in attacks
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
Shadowserver is currently watching more than 5,800 PAN-OS VM-series firewalls that are visible online. Many of these are in Asia (2,466) and North America (1,998).
The company has also flagged the vulnerability as the highest possible severity and says that admins can quickly check whether their firewalls are configured to use the vulnerable service from the User-ID Authentication Portal Settings page, found under Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal.
No other details have been given about the attacks using CVE-2026-0300, but little use usually means that a weakness has been used in targeted attacks by skilled threat actors, often supported by states.
The vendor plans to give out the first set of updates on May 13, with another set of fixes expected on May 28.
Palo Alto said the problem only impacts PA and VM series firewalls set up to use the User-ID Authentication Portal. Allowing access to the portal only for trusted internal IPs greatly lowers the chance of exploitation.
Affected Products
The vulnerability impacts multiple PAN-OS versions across PA-Series and VM-Series firewalls. Affected branches include:
PAN-OS 10.2 : versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
PAN-OS 11.1: versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
PAN-OS 11.2: versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
PAN-OS 12.1: versions below 12.1.4-h5 and 12.1.7
According to Palo Alto Networks, Prisma Access, Cloud NGFW, and Panorama appliances are not affected by CVE-2026-0300.
Palo Alto firewalls are popular with enterprise and government, making them key targets for hackers.
