Palo Alto Networks disclosed active exploitation of CVE-2026-0300, a critical buffer overflow vulnerability in PAN-OS that allows unauthenticated remote code execution. The flaw carries a CVSS score of 9.3.
The vulnerability affects systems where the User-ID Authentication Portal is exposed to the internet. Attackers need no credentials to trigger the buffer overflow and execute arbitrary code on vulnerable appliances. This creates a direct path to full system compromise without authentication barriers.
Palo Alto Networks released an advisory after confirming real-world attacks. Organizations running PAN-OS with internet-facing authentication portals face immediate risk. Attackers can exploit this flaw to gain control of firewall infrastructure, potentially enabling lateral movement into protected networks and access to sensitive data flowing through these security boundaries.
The authentication portal exposure requirement narrows the attack surface compared to completely unauthenticated gateway flaws, but organizations that intentionally expose these portals for remote access represent a substantial target set. Many enterprises maintain internet-facing authentication gateways for staff working remotely or across distributed locations.
Mitigation requires urgent patching or network isolation measures. Organizations should check deployment configurations to identify exposed authentication portals. Those relying on internet-accessible portals should prioritize updates immediately. Temporary controls include restricting access to the portal through network-level filters, WAF rules, or IP allowlisting while patches deploy.
This vulnerability demonstrates the persistent risk in management and authentication interfaces. Even when primary firewall rules remain restrictive, auxiliary services like user authentication portals introduce attack surface. Security teams should inventory all internet-facing management and authentication services across their Palo Alto infrastructure and apply available patches without delay.