Secure Cyber Vulnerability Management

07/05/2026
Qualys-Threat-Protect

PAN-OS User-ID Authentication Portal Vulnerability Exploited in Attacks (CVE-2026-0300)

by Deepanshu Jha

Palo Alto has warned its users about the active exploitation of a vulnerability in the Palo Alto User-ID Authentication Portal (aka Captive Portal) service running on PAN-OS. Tracked as CVE-2026-0300, the vulnerability has a critical severity rating with a CVSS score of 9.3. Successful exploitation of the vulnerability can lead to arbitrary code execution.

Palo Alto has mentioned in their advisory that they are aware of a limited number of exploitation attempts targeting Palo Alto Networks User-ID™ Authentication Portals that are exposed to untrusted IP addresses and/or the public internet

The Palo Alto Networks User-ID Authentication Portal (formerly known as Captive Portal) is a PAN-OS security feature that authenticates users when the firewall cannot automatically map their IP addresses to identities.

Vulnerability Details

The vulnerability originates from a buffer overflow flaw that may allow an unauthenticated attacker to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls. An attacker can exploit the vulnerability by sending specially crafted packets.

The vulnerability applies only to PA-Series and VM-Series firewalls configured to use User-ID™ Authentication Portal.

Affected versions

  • PAN-OS 12.1 versions before PAN-OS 12.1.7
  • PAN-OS 11.2 versions before PAN-OS 11.2.12
  • PAN-OS 11.1 versions before PAN-OS 11.1.15
  • PAN-OS 10.2 versions before PAN-OS 10.2.7-h34

Workarounds

Customers can apply either of the following actions to mitigate the vulnerability till the patches are released:

  • Disable User-ID Authentication Portal if not required.

Mitigations

Palo Alto has planned to release the patched versions by the end of the month. Here is the list of patched versions and their ETA:

  • PAN-OS 12.1 version PAN-OS 12.1.7 (ETA: 05/28)
  • PAN-OS 11.2 version PAN-OS 11.2.12 (ETA: 05/28)
  • PAN-OS 11.1 version PAN-OS 11.1.15 (ETA: 05/28)
  • PAN-OS 10.2 version PAN-OS 10.2.7-h34 (ETA: 05/28)

Customers can refer to the Palo Alto Networks Security Advisory for information regarding patching this vulnerability.

Qualys Detection

Qualys customers can scan their devices with QID 734142 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.

References
https://security.paloaltonetworks.com/CVE-2026-0300

Comments are closed.

You may also like