What Happened
Palo Alto Networks confirmed active exploitation of CVE-2026-0300, a buffer overflow vulnerability in the User-ID Authentication Portal (also known as Captive Portal) component of PAN-OS. The flaw carries a CVSS score of 9.3 when the captive portal is internet-accessible, dropping to 8.7 when restricted to trusted internal addresses. An unauthenticated attacker sends specially crafted packets to an exposed portal and gains root-level remote code execution on PA-Series and VM-Series firewalls.
Exploitation is confirmed as active and, by Palo Alto’s own assessment, automatable. The vulnerability was disclosed by Palo Alto Networks on May 6, 2026, with the first patches targeting PAN-OS 12.1, 11.2, 11.1, and 10.2 scheduled for May 13, with additional releases following on May 28. As of today, no fix exists. The attack surface is limited to organizations where the captive portal or User-ID Authentication Portal is exposed to untrusted networks — a configuration more common than most firewall operators expect, particularly in distributed office, retail, and campus environments.
Why This Matters for Canadian Organizations
Palo Alto Networks is among the most widely deployed next-generation firewall vendors across Canadian enterprise, government, financial services, healthcare, and post-secondary education environments. The Canadian Centre for Cyber Security has previously flagged Palo Alto infrastructure in national threat advisories, reflecting how deeply embedded these devices are in critical network perimeters across the country.
Root-level access to a perimeter firewall is among the most damaging outcomes of any network compromise. An attacker who gains this access disables security controls, intercepts encrypted traffic, pivots into internal network segments, and persists silently. With exploitation confirmed as automatable, widespread scanning of internet-exposed PAN-OS captive portals is a near-certainty. Canadian organizations in healthcare, financial services, and critical infrastructure — sectors with heavy Palo Alto deployments — face elevated risk until patches ship. The PIPEDA breach notification obligation applies if personal data is accessed through a firewall compromise.
What to Do
Palo Alto Networks’ official guidance is unambiguous: restrict User-ID Authentication Portal access to trusted internal IP addresses only, or disable the captive portal entirely if it is not required for operations. Audit your PAN-OS firewall configurations immediately to identify any instances where the portal is accessible from untrusted networks. Threat hunting for unusual outbound connections, new administrative accounts, or unexpected configuration changes on PAN-OS devices is warranted given confirmed in-the-wild exploitation. Monitor the Palo Alto security advisory for patch availability starting May 13 and treat this as a Priority 1 patching item the moment updates become available.
Source: BleepingComputer | The Hacker News
