A single crafted request to a login page. That is all it takes for an unauthenticated attacker to gain full root control of a Palo Alto Networks firewall, according to government vulnerability records published in May 2026. The flaw, tracked as CVE-2026-0300, is a buffer overflow in the PAN-OS User-ID Authentication Portal, a component many enterprises deliberately expose to the internet so remote workers and guests can log in. No patch exists today, and the earliest expected fix is May 13, leaving security teams to improvise defenses during the most dangerous stretch of any vulnerability’s lifecycle.
What the government records confirm
Two independent government bodies have cataloged the vulnerability and agree on every material detail. The NIST National Vulnerability Database entry describes CVE-2026-0300 as unauthenticated arbitrary code execution with root privileges. Both the CNA-provided CVSS v4 vector and the NVD’s own CVSS v3.1 base score reflect a remotely exploitable bug that requires no credentials and no user interaction to trigger.
Separately, CERT-EU, the Computer Emergency Response Team for EU institutions, published Security Advisory 2026-006 identifying the same CVE by name. The advisory pins the flaw to the User-ID Authentication Portal and Captive Portal components and states that it “allows an unauthenticated attacker to execute arbitrary code with root privileges.” CERT-EU’s advisory also lists the affected PAN-OS versions, giving defenders a concrete scope for triage.
When two government-run bodies on different continents describe the same flaw in consistent technical terms, the underlying facts carry high confidence.
Why a compromised firewall is worse than a compromised workstation
Firewalls are not just another device on the network. They inspect and route every packet flowing through a segment. An attacker who gains root access to one can intercept sensitive data in transit, silently disable security policies, pivot into internal systems that were never meant to face the internet, and wipe logs to cover their tracks. A single exploited firewall can turn an entire enterprise into an open corridor.
The exposure is compounded by architecture. The User-ID Authentication Portal exists specifically to accept connections from untrusted networks. Organizations deploy it at the perimeter so remote users and guests can authenticate, which means the vulnerable service sits exactly where attackers probe first. Exploitation does not require a foothold inside the network; it requires only the ability to reach the portal’s login page.
For context, Palo Alto Networks firewalls have been targeted before. In 2024, CVE-2024-3400, a command-injection flaw in PAN-OS GlobalProtect, was added to CISA’s Known Exploited Vulnerabilities catalog after confirmed attacks in the wild. That precedent underscores how quickly threat actors weaponize PAN-OS bugs once details become public.
What is still uncertain
Neither the NVD entry nor the CERT-EU advisory provides evidence that CVE-2026-0300 is being actively exploited right now. The distinction matters. The vulnerability is unpatched and publicly documented, which meets a common working definition of a zero-day, but confirmed exploitation in the wild has not appeared in the public record as of early May 2026. Without telemetry from Palo Alto Networks, incident-response firms, or threat-intelligence vendors, the scale of real-world attacks, if any, remains unknown.
As of early May 2026, CISA has not added CVE-2026-0300 to its Known Exploited Vulnerabilities catalog. That catalog requires evidence of active exploitation before a CVE is listed, so its absence is consistent with the lack of confirmed in-the-wild attacks in the public record. If CISA does add the CVE before a patch ships, federal civilian agencies would face binding remediation deadlines, and private-sector organizations that track the catalog as a prioritization signal would need to escalate their response.
The May 13 patch date referenced in reporting on this vulnerability originates from secondary sources rather than a direct vendor commitment visible in the NVD or CERT-EU records. Palo Alto Networks’ own security advisory, if one has been published, was not among the primary government documents reviewed here. Readers should treat May 13 as the best available estimate, not a guaranteed deadline.
Affected device counts are also unconfirmed. NIST’s vulnerability database does not track how many firewalls run a given PAN-OS version in production, and no authoritative census ties specific version numbers to specific customer counts. The blast radius could be enormous or relatively contained depending on how widely the vulnerable versions are deployed.
What defenders should do before May 13
The window between public disclosure and patch delivery is exactly when attackers move fastest. Organizations running PAN-OS versions identified in the CERT-EU advisory should treat this as a top-priority event and act now rather than waiting for a fix.
Disable the portal if you can. Turning off the User-ID Authentication Portal and Captive Portal on internet-facing interfaces removes the attack surface entirely. Yes, it will break authentication workflows that depend on those portals, but the tradeoff is straightforward: temporary inconvenience versus potential root compromise of your perimeter firewall.
Restrict access if you cannot disable. Network teams that must keep the portal running should lock it down to trusted IP ranges using access-control lists. This does not eliminate the vulnerability, but it shrinks the pool of potential attackers from “everyone on the internet” to a manageable set.
Watch for anomalies. Monitor firewall logs for unusual authentication attempts, unexpected child processes, or any signs of lateral movement originating from the firewall itself. Segment management interfaces away from general traffic so that even a compromised data-plane interface does not hand attackers the keys to the management plane.
Harden beyond this single CVE. NIST maintains the National Checklist Program, which offers configuration baselines for PAN-OS deployments. Applying those baselines now reduces the chance that a compromised firewall becomes a staging point for deeper intrusion, regardless of whether CVE-2026-0300 is the entry vector.
Every hour without a patch is an hour of exposure
Every hour between now and the arrival of a fix is an hour that a remotely exploitable, unauthenticated, root-level vulnerability sits on internet-facing firewalls with no vendor remedy. The severity scores, the attack vector, and the history of rapid weaponization of PAN-OS flaws all point in the same direction: this is not a vulnerability to monitor passively. Organizations that shrink their exposure today, even through blunt measures like disabling the portal, will be in a far stronger position than those still waiting when the first confirmed exploitation reports inevitably surface.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
