Which versions of PAN-OS are affected by CVE-2026-0300?

CVE-2026-0300 is a critical remote code execution vulnerability in Palo Alto Networks PAN-OS Captive Portal affecting PA-Series and VM-Series firewalls, with confirmed active exploitation in the wild…. A patch is available.

Is there a public PoC exploit available for CVE-2026-0300?

Yes, a public proof-of-concept exploit is available for CVE-2026-0300. Prioritise patching immediately. EPSS: 14.9%.

PAN-OS CVE-2026-0300

Q: What is the CVSS score of CVE-2026-0300?

CVE-2026-0300 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Red. EPSS exploitation probability: 14.9%.

EUVD-2026-27879 CRITICAL

Out-of-bounds Write (CWE-787)

2026-05-06 palo_alto

RCE Buffer Overflow Memory Corruption Paloalto

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Red

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 06, 2026 - 20:02 EUVD

Analysis Generated

May 06, 2026 - 19:46 vuln.today

CVSS changed

May 06, 2026 - 19:22 NVD

9.3 (CRITICAL)

Added to CISA KEV

May 06, 2026 - 19:18 CISA

CVE Published

May 06, 2026 - 18:57 nvd

CRITICAL 9.3

DescriptionNVD

A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.

The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses.

Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.

AnalysisAI

Remote code execution in Palo Alto Networks PAN-OS User-ID Authentication Portal (Captive Portal) allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls via specially crafted packets. CISA KEV confirms active exploitation in the wild with publicly available exploit code. …

RemediationAI

WITHIN 24 HOURS: (1) Identify all PA-Series and VM-Series firewalls in your environment running PAN-OS versions vulnerable to CVE-2026-0300-contact Palo Alto Networks for affected version list if not yet published; (2) restrict network access to the User-ID Captive Portal to trusted internal management networks only via firewall rules or air-gapping; (3) enable enhanced logging and alerting on portal authentication attempts. WITHIN 7 DAYS: (1) review CISA KEV advisories and Palo Alto Networks security bulletins for confirmed vulnerable versions; (2) test failover/backup appliances if portal restriction is not operationally feasible; (3) establish incident response procedures for potential compromise detection. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-0300 vulnerability details – vuln.today

Back

PAN-OS CVE-2026-0300

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

PAN-OS CVE-2026-0300

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code