Urgent Advisory: Critical PAN-OS Buffer Overflow Flaw Under Active Exploitation
Unit 42 researchers have confirmed active exploitation of a zero-day vulnerability in Palo Alto Networks PAN-OS, designated CVE-2026-0300. The flaw resides in the User-ID Authentication Portal (captive portal) and allows unauthenticated remote code execution (RCE) on affected firewalls.
Attackers are leveraging the vulnerability to gain full control over vulnerable systems, Unit 42 reported in a threat brief released today. Organizations running PAN-OS with the captive portal feature enabled are urged to apply patches immediately.
Technical Details: Buffer Overflow in Authentication Portal
CVE-2026-0300 is a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal component. It requires no authentication and can be triggered remotely via specially crafted network packets.
“This is a classic buffer overflow that allows an attacker to overwrite memory and execute arbitrary code,” said a Unit 42 researcher speaking on background. “We have observed multiple exploitation attempts in the last 48 hours.”
Background: PAN-OS Captive Portal
The PAN-OS captive portal is used for user authentication before granting network access. It is commonly deployed in enterprise environments for guest Wi-Fi and BYOD policies.
Because the portal runs as a service on the firewall’s management plane, successful exploitation could give attackers complete administrative control. Unit 42 noted that the vulnerability does not require any prior access to the internal network.
What This Means for Organizations
Any organization using PAN-OS with the captive portal enabled is at immediate risk. The vulnerability can be exploited from the internet, meaning external attackers can compromise firewalls without ever touching internal systems.
“This is a critical severity issue with a CVSS score of 9.8,” the Unit 42 team emphasized. “If you are running an affected version, assume compromise and treat it as a full breach.”
Unit 42 recommends immediate patching and reviewing firewall logs for signs of unauthorized access. Organizations should also ensure the captive portal is not exposed to untrusted networks unless absolutely necessary.
Affected Versions and Patches
Palo Alto Networks has released hotfixes for PAN-OS versions 10.2, 11.0, and 11.1. The complete list of affected versions is available in the official security advisory.
Unit 42 urges administrators to apply updates as soon as possible. For systems that cannot be immediately patched, they recommend disabling the captive portal or restricting access via IP allow‑lists.
Indicators of Compromise
Researchers have observed exploit attempts originating from multiple IP addresses associated with known threat actor groups. Affected systems may show unexpected process crashes, memory corruption logs, or unauthorized configuration changes.
Unit 42 has published indicators of compromise (IOCs) in their full threat brief. Security teams should monitor for anomalous outbound connections from firewall management interfaces.
Conclusion: Act Now
This zero-day represents a significant threat to network security infrastructure. With active exploitation confirmed, every hour of delay increases the risk of a breach.
“Do not wait for a scheduled maintenance window,” the Unit 42 researcher warned. “Treat this as an emergency and patch immediately. The window for proactive defense is closing.”
For continuous updates, follow Unit 42’s threat intelligence feed.