A critical security vulnerability in Palo Alto Networks’ PAN-OS software is being actively exploited by threat actors, the company confirmed in an advisory released recently. The flaw, formally identified as CVE-2026-0300, allows unauthenticated remote code execution on affected systems.
Vulnerability Details and Severity
The vulnerability is classified as a buffer overflow issue. According to Palo Alto Networks, it specifically impacts the User-ID Authentication Portal component within the PAN-OS operating system. Successful exploitation could allow an attacker to execute arbitrary code on the targeted firewall device without requiring any prior authentication.
The Common Vulnerability Scoring System (CVSS) base score for CVE-2026-0300 is 9.3 out of a possible 10. This places it in the “critical” severity range, indicating a severe risk to organizational security. The high score reflects both the ease of exploitation and the potential for significant impact on confidentiality, integrity, and availability of affected systems.
Conditional Risk and Exploitation Status
Palo Alto Networks noted that the risk of exploitation is particularly heightened when the User-ID Authentication Portal is configured to allow access from the internet. Organizations that have directly exposed this service to the public internet are at greater immediate risk. However, the advisory specifically uses the term “exploited in the wild,” confirming that active attacks leveraging this vulnerability have already been detected.
The company did not disclose specific details about the observed attacks or the identity of the threat actors involved. Security researchers generally advise that proof-of-concept code often follows disclosures of critical flaws, increasing the attack surface for all organizations regardless of configuration.
Impacted Products and Versions
The vulnerability affects multiple versions of PAN-OS. Palo Alto Networks has released software updates to remediate the issue. Organizations using PAN-OS are strongly urged to review the advisory from Palo Alto Networks, identify which version of PAN-OS they are running, and apply the necessary security patches immediately.
While the advisory focuses on the firewall operating system, the company stated that other Palo Alto Networks products such as Prisma Access, Cloud NGFW, and Cortex XSIAM are not affected by CVE-2026-0300.
Recommended Actions for Administrators
Security teams are advised to act promptly. The primary recommendation is to update the PAN-OS software to the fixed versions listed in the advisory. For organizations unable to apply the patch immediately, network administrators should restrict access to the User-ID Authentication Portal from untrusted networks, specifically blocking access from the internet unless business-critical requirements dictate otherwise.
Palo Alto Networks has also provided guidance on using Threat Prevention signatures to detect and block attempted exploits. Organizations should ensure their security platforms are updated with the latest content and signatures to mitigate active attack attempts.
This development echoes past incidents involving critical PAN-OS vulnerabilities, which have historically been targeted by ransomware groups and state-sponsored actors. The active exploitation status of CVE-2026-0300 makes mitigation a particularly urgent priority.
Looking Ahead
Palo Alto Networks has stated it will continue to monitor the situation and may update its advisory as more information becomes available. Given the active exploitation and the critical severity rating, system administrators should prioritize patching as the primary remediation step. Organizations are advised to audit their firewall configurations, particularly any public exposure of the User-ID Authentication Portal, and apply the security updates as soon as possible to close the window of opportunity for attackers.
Source: Delimiter
