Company

ABOUT ESENTIRE

eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.

About Us Leadership Careers Event Calendar → Newsroom → Aston Villa Football Club →

EVENT CALENDAR

May

Seattle FutureCon

May

May TRU Intelligence Briefing

May

Pittsburgh FutureCon

Jun

June TRU Intelligence Briefing

Jun

Kansas City FutureCon

View Calendar

LATEST PRESS RELEASE

Mar 19, 2026 eSentire Appoints Cybersecurity Industry Veteran James C. Foster as Chief Executive Officer Read More

View Newsroom

OUR PARTNERSHIPS

Aston Villa Football Club

AVFC takes its cyber protection to the Next Level with eSentire as its official cybersecurity partner.

Learn More

Palo Alto PAN-OS Zero-Day Vulnerability (CVE-2026-0300)

May 6, 2026

3 MINS READ

Share this article

THE THREAT

On May 5th, 2026, Palo Alto Networks disclosed CVE-2026-0300 (CVSS: 9.3), a critical zero-day buffer overflow vulnerability that impacts the User-ID Authentication Portal (aka Captive Portal) service of PAN-OS software. Exploitation of the vulnerability can enable an unauthenticated attacker to perform Remote Code Execution (RCE) with root privileges on impacted PA-series and VM-series firewalls, leading to full device takeover.

Patches to address CVE-2026-0300 are not currently available, and Palo Alto has confirmed that "limited exploitation" of the vulnerability has been identified. Until patches are released, organizations utilizing PA-series and VM-series devices should follow Palo Alto's recommended mitigation steps for restricting access to the User-ID Authentication Portal.

What we're doing about it

eSentire's Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2026-0300
In response to this release, eSentire's Threat Response Unit (TRU) created detections within eSentire MDR for Network to identify exploitation attempts
eSentire TRU is tracking the topic for additional details and detection opportunities

What you should do about it

Impacted organizations should perform an audit on all PA-series and VM-series firewalls to determine if the User-ID Authentication portal is configured (this setting is enabled by default)
- This can be found within the User-ID Authentication Portal settings page (Device > User Identification > Authentication Portal Settings)
If the User-ID Authentication Portal is enabled, organizations should follow Palo Alto's best practice guidelines, restricting access to trusted IP addresses
Ensure that patches are applied as soon as they become available

Additional information

Palo Alto Networks have confirmed that the vulnerability does not impact Prisma Access, Cloud NGFW, or Panorama appliances. As per the timeline provided by Palo Alto, patches to address CVE-2026-0300 will start to become available on May 13th, 2026, one week after its disclosure. Mitigation recommendations provided include restricting access to the User-ID Authentication Portal to only trusted IP addresses, which can "greatly reduce" the risk. At the time of writing, Shadowserver Foundation has identified over 5,800 PAN-OS VM-series firewalls that are exposed to the Internet, with the majority of them being in Asia and North America.

Palo Alto has indicated that exploitation of CVE-2026-0300 has been observed, targeting User-ID Authentication Portals that are "exposed to untrusted IP addresses and/or the public Internet". Based on the details shared by Palo Alto regarding the limited exploitation of CVE-2026-0300, it is likely that attacks involve one specific threat actor or group, but this has not been confirmed. No additional information was shared regarding the identified attacks. At the time of writing, technical details on CVE-2026-0300 are limited, and there is currently no Proof-of-Concept (PoC) exploit code available; however, this can rapidly change. As the vulnerability requires no authentication, is considered low complexity, does not currently have patches, and exploitation has already been identified, eSentire's Threat Intelligence team assesses with medium confidence that widespread exploitation may be seen in the near future.

Impacted Product List
Versions	Affected	Unaffected
PAN-OS 12.1	< 12.1.4-h5 < 12.1.7	>= 12.1.4-h5 (ETA: 05/13) >= 12.1.7 (ETA: 05/28)
PAN-OS 11.2	< 11.2.4-h17 < 11.2.7-h13 < 11.2.10-h6 < 11.2.12	>= 11.2.4-h17 (ETA: 05/28) >= 11.2.7-h13 (ETA: 05/13) >= 11.2.10-h6 (ETA: 05/13) >= 11.2.12 (ETA: 05/28)
PAN-OS 11.1	< 11.1.4-h33 < 11.1.6-h32 < 11.1.7-h6 < 11.1.10-h25 < 11.1.13-h5 < 11.1.15	>= 11.1.4-h33 (ETA: 05/13) >= 11.1.6-h32 (ETA: 05/13) >= 11.1.7-h6 (ETA: 05/28) >= 11.1.10-h25 (ETA: 05/13) >= 11.1.13-h5 (ETA: 05/13) >= 11.1.15 (ETA: 05/28)
PAN-OS 10.2	< 10.2.7-h34 < 10.2.10-h36 < 10.2.13-h21 < 10.2.16-h7 < 10.2.18-h6	>= 10.2.7-h34 (ETA: 05/28) >= 10.2.10-h36 (ETA: 05/13) >= 10.2.13-h21 (ETA: 05/28) >= 10.2.16-h7 (ETA: 05/28) >= 10.2.18-h6 (ETA: 05/13)

References:
[1] https://security.paloaltonetworks.com/CVE-2026-0300
[2] https://docs.paloaltonetworks.com/ngfw/administration/user-id/map-ip-addresses-to-users/map-ip-addresses-to-usernames-using-captive-portal/configure-captive-portal
[3] https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CqbiCAC
[4] https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=7&vendor=palo+alto+networks&type=firewall&dataset=count&limit=100&group_by=geo&stacking=stacked

Back to Security Advisories

Speak With A Security Expert Now

TALK TO AN EXPERT

Security advisories