CVE-2026-0300

Name of the Vulnerable Software and Affected Versions PAN-OS versions prior to 10.2.18-h6 PAN-OS versions prior to 11.1.15 PAN-OS versions prior to 11.2.12 PAN-OS versions prior to 12.1.7

Description A buffer overflow, specifically an out-of-bounds write, exists in the User-ID Authentication Portal (also known as the Captive Portal) service of PA-Series and VM-Series firewalls. This flaw allows an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets. The issue is actively exploited in the wild, with reports of espionage and lateral movement. It is estimated that between 5,800 and 225,000 instances are reachable via the public internet.

Recommendations Update PAN-OS to version 10.2.18-h6 or later. Update PAN-OS to version 11.1.15 or later. Update PAN-OS to version 11.2.12 or later. Update PAN-OS to version 12.1.7 or later. As a temporary workaround, disable the User-ID Authentication Portal if it is not business-critical. Restrict access to the User-ID Authentication Portal to trusted internal IP addresses or trusted zones only. For PAN-OS 11.1 and above, enable Threat Prevention Signature 510019.