CVE-2026-0300: enterprise firewalls are being compromised right now (and there is no patch yet!)
Table of contents
A critical zero-day vulnerability in PAN-OS is being actively exploited in the wild. CISA added CVE-2026-0300 to its KEV catalog on May 6 with a three-day remediation deadline for federal agencies, and no patch exists until May 13 at the earliest. For security teams running PA-Series or VM-Series firewalls with the User-ID Authentication Portal enabled, this is an active incident — not a scheduled patching task.
The vulnerability carries a CVSS 4.0 score of 9.3. It allows an unauthenticated attacker to gain root-level code execution on an affected firewall by sending specially crafted packets — no credentials, no user interaction, no special conditions beyond the portal being reachable from an untrusted network. The affected platform is deployed by more than 70,000 organizations worldwide, including 90% of Fortune 10 companies and most of the largest US banks, which is precisely why state-sponsored actors moved on this within days of disclosure.
What the vulnerability actually does
CVE-2026-0300 is a buffer overflow classified as CWE-787 in the User-ID Authentication Portal service of PAN-OS. An unauthenticated remote attacker sends specially crafted packets to a device with the portal enabled, triggering an out-of-bounds write condition that yields arbitrary code execution with root privileges. Once in, the attacker has full control of the firewall — its configuration, its traffic visibility, and every network segment it protects.
When the Authentication Portal is internet-exposed the CVSS score reaches 9.3. When restricted to adjacent networks only, it drops to 8.7, still critical, but the gap illustrates why internet-facing deployments are the immediate priority. Wiz research indicates that 7% of environments have publicly exposed PAN-OS instances, with the exploitable population concentrated on ports 6081 and 6082 where the Authentication Portal runs. These tend to be enterprise environments using the portal for user-identity workflows — exactly the organizations that represent high-value targets for espionage operations.
Compromising a firewall at the perimeter level is categorically different from compromising an endpoint or application. The attacker gains visibility into all network traffic flowing through the device, the ability to modify security policies in real time, and a persistent foothold that survives most internal remediation efforts — because the security device itself becomes the attacker’s instrument.
Affected versions and the patching timeline
No patch is currently available. First fixes land May 13, with further releases around May 28. Affected branches are PAN-OS 10.2, 11.1, 11.2, and 12.1 on PA-Series and VM-Series firewalls with the User-ID Authentication Portal enabled. Prisma Access, Cloud NGFW, and Panorama appliances are not affected.
Until patches arrive, the vendor advisory recommends one of two immediate mitigations: restrict User-ID Authentication Portal access to trusted internal zones only, or disable the portal entirely if not required. To disable: navigate to Device > User Identification > Authentication Portal Settings and uncheck Enable Authentication Portal. To check your exposure, navigate to the same settings page — if the portal is enabled and not restricted to trusted zones, treat this as an emergency remediation priority today.
State-sponsored exploitation and what it means for your posture
On May 7, the vendor updated its assessment to confirm that attacks are likely state-sponsored. The targeting pattern — focusing specifically on Authentication Portals exposed to the internet rather than all PAN-OS deployments — is consistent with reconnaissance-heavy operations that prioritize persistent access over immediate financial gain.
State-sponsored groups consistently target network infrastructure rather than endpoints when conducting espionage because the reward is qualitatively different. Endpoint compromise gives you one machine. Firewall compromise gives you the map of the entire network, the traffic between every system on it, and a position that your target’s security team is unlikely to look at first when investigating anomalies.
NHS England’s CSOC has assessed further exploitation as highly likely. For private sector organizations, the combination of a CISA KEV listing, a three-day federal remediation window, and confirmed state-sponsored attribution means the KEV deadline is effectively the right benchmark regardless of whether you are a federal agency.
What to do before May 13
Check portal exposure immediately. Navigate to Device > User Identification > Authentication Portal Settings. If the portal is enabled and accessible from untrusted zones or the public internet, this is your highest-priority remediation today — ahead of everything else on the list.
Restrict or disable the portal. Restrict access to trusted internal zones or disable entirely if not required. This is the only mitigation available until patches release. Customers following this practice are at greatly reduced risk even on unpatched versions.
Block the relevant ports upstream. Block inbound traffic on ports 6081 and 6082 at an upstream network device if portal configuration changes are not immediately feasible in your environment.
Monitor independently of the firewall. Given that a compromised firewall can manipulate its own logs, deploy network traffic monitoring upstream of the affected device where possible. Use span ports or network taps to capture traffic independently of firewall logging. Review for unexpected outbound connections, configuration changes you did not initiate, and authentication patterns inconsistent with normal administrative activity.
Plan patch deployment for May 13. Given confirmed state-sponsored exploitation and a three-day federal remediation window, this is not a standard patch cycle item. Have the deployment plan ready now so you can execute the day fixes become available.
Organizations whose perimeter includes internet-exposed User-ID Authentication Portals have an open attack surface right now, regardless of what internal monitoring shows. CybelAngel’s attack surface management identifies exposed Authentication Portal instances visible from your perimeter before attackers scan for them.
Our dark web monitoring tracks exploitation tooling and compromised credentials circulating in underground markets connected to this campaign.
Frequently asked questions
CVE-2026-0300 is a critical buffer overflow in the PAN-OS User-ID Authentication Portal allowing unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. CVSS score is 9.3. Exploitation in the wild is confirmed and attributed to state-sponsored threat actors.
Not yet. First patches are expected on May 13, 2026, with further releases around May 28. Until then, restrict the User-ID Authentication Portal to trusted zones only or disable it entirely.
PA-Series and VM-Series firewalls running PAN-OS 10.2, 11.1, 11.2, or 12.1 with the User-ID Authentication Portal enabled and accessible from untrusted networks. Prisma Access, Cloud NGFW, and Panorama appliances are not affected.
Navigate to Device > User Identification > Authentication Portal Settings. If the portal is enabled and not restricted to trusted internal zones, you are exposed. Restrict or disable immediately.
The vendor updated its assessment on May 7 to indicate attacks are likely the work of state-sponsored threat actors. Exploitation is currently limited rather than mass-scale, but the CISA KEV listing and state-sponsored attribution signal escalating risk.
Internet-exposed Authentication Portals face a CVSS score of 9.3 and confirmed active exploitation. Portals restricted to adjacent internal networks score 8.7 — still severe, but at substantially reduced risk from the current exploitation campaign.
About the author
