Palo Alto warns of critical firewall flaw, tells users a patch is on the way

The bug is described as a buffer overflow weakness that allows unauthenticated threat actors to run arbitrary code with root privileges on PA-Series and VM-Series firewalls via specially crafted packets.

It is tracked as CVE-2026-0300 and was given a severity score of 9.3/10 (critical). It only works against endpoints that are exposed to the public internet.

Guidance and patches

"Limited exploitation has been observed targeting Palo Alto Networks User-ID™ Authentication Portals that are exposed to untrusted IP addresses and/or the public internet," Palo Alto explained in a security advisory.

"Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks are at a greatly reduced risk."

In a further statement shared with BleepingComputer, the company said the vulnerability was specific to a “limited number” of customers with their Authentication Portals exposed to the public internet, or untrusted IP addresses. “We have observed limited exploitation of this issue and are working to release software fixes, with the first updates expected to be available on May 13, 2026," the company told the publication.

"We have provided clear mitigation guidance to our customers to secure their environments immediately. This issue does not impact Cloud NGFW or Panorama appliances."

Users who are unsure if they are exposed or not can see if their firewalls are configured to use the vulnerable service from the Settings page. They can navigate to Device - User Identification - Authentication Portal Settings - Enable Authentication Portal. Access to the portal should be restricted to trusted zones only, or even disabled, if possible, Palo Alto advised.

According to Shadowserver data, there are currently 5,800 PAN-OS VM-series firewalls exposed online. The majority are located in Asia (2,466), with a significant minority in North America (1,988).