A Palo Alto PAN-OS buffer overflow vulnerability (CVE-2026-0300) has been disclosed, affecting the User-ID Authentication Portal (also known as the Captive Portal) on PA-Series and VM-Series firewalls. The flaw allows an unauthenticated remote attacker to execute arbitrary code with root privileges via specially crafted packets sent to the User-ID Authentication Portal service. No patches are currently available, and Palo Alto Networks reports limited in-the-wild exploitation.
This disclosure triggered our AI-Driven Rapid Reaction capability, allowing watchTowr clients to determine their exposure as the news broke and giving security teams the time they need to respond.
If you need urgent help assessing exposure to the Palo Alto PAN-OS buffer overflow vulnerability, contact watchTowr here.
What Is the Palo Alto PAN-OS User-ID Authentication Portal?
The User-ID Authentication Portal, commonly referred to as the Captive Portal, is a feature of Palo Alto Networks PAN-OS, deployed on PA-Series hardware firewalls and VM-Series virtual firewalls. It identifies users on the network for security policy enforcement by prompting unauthenticated traffic for credentials.
What Is the PAN-OS Buffer Overflow Vulnerability?
The Palo Alto PAN-OS User-ID Authentication Portal buffer overflow vulnerability (CVE-2026-0300) is an unauthenticated remote vulnerability in the portal service. An attacker can trigger the overflow by sending specially crafted packets to the User-ID Authentication Portal, leading to arbitrary code execution with root privileges on the affected firewall.
Successful exploitation could allow an attacker to execute arbitrary code with root privileges. From that position, an attacker may be able to inspect or modify traffic, weaken or bypass enforcement of security policy, establish persistence on the appliance, and pivot toward internal networks the firewall is responsible for protecting.
Affected and Unaffected Palo Alto Products
| Product | Status |
|---|---|
| PA-Series firewalls (PAN-OS) | Affected (refer to vendor advisory) |
| VM-Series firewalls (PAN-OS) | Affected (refer to vendor advisory) |
| Prisma Access | Not affected |
| Cloud NGFW | Not affected |
| Panorama | Not affected |
How To Mitigate the PAN-OS Buffer Overflow
- Identify all PAN-OS PA-Series and VM-Series firewalls in the environment that have the User-ID Authentication Portal (Captive Portal) feature enabled.
- Restrict access to the User-ID Authentication Portal so it is reachable only from trusted internal IP addresses, per Palo Alto’s interim guidance. This significantly reduces exposure while a patch is unavailable.
- Monitor firewall logs for anomalous traffic directed at the User-ID Authentication Portal, including malformed packets, unexpected source addresses, and unusual session patterns.
- Track the Palo Alto security advisory for CVE-2026-0300 for patch availability and apply fixed versions as soon as they are released.
Patched PAN-OS Versions
At the time of writing, no patched versions of PAN-OS are available for CVE-2026-0300. Refer to the Palo Alto security advisory for the latest patch information.
How watchTowr Helps Respond to the Palo Alto PAN-OS Vulnerability
The watchTowr Platform delivers Preemptive Exposure Management, identifying, validating, and tracking external exposure across enterprise environments.
- watchTowr Instinct: prioritized the PAN-OS User-ID Authentication Portal buffer overflow vulnerability when disclosed.
- Adversary Sight engine: identified PAN-OS PA-Series and VM-Series instances across watchTowr client environments.
- AI-Driven Rapid Reaction: was leveraged across the watchTowr client base to identify exposure to this vulnerability and give teams the time they need to act.
When exploitation begins before patches exist, watchTowr delivers what no one else can: time to respond.
Request a demo to see how Rapid Reaction supports organizations responding to emerging threats like CVE-2026-0300, the Palo Alto PAN-OS User-ID Authentication Portal buffer overflow vulnerability.
