CVE-2026-0300: What Palo Alto PAN-OS Firewall Admins Should Do Now

Limited exploitation does not make this a wait-and-see issue. If the portal is reachable from the internet or another untrusted network, treat the firewall as highest priority. Reporting on Palo Alto's advisory notes a CVSS score of 9.3 when the User-ID Authentication Portal is enabled for internet or untrusted network access; that risk score drops to 8.7 when access is restricted to trusted internal IPs, but the device still needs remediation ^[7].

Scope: systems to check first

Start with PA-Series and VM-Series firewalls running PAN-OS where User-ID Authentication Portal/Captive Portal is configured ^[15][18]. The Singapore Cyber Security Agency advises users and administrators of affected versions to restrict or disable portal access until updates are available, and says successful exploitation can let a remote unauthenticated attacker execute arbitrary code with root privileges by sending specially crafted packets ^[18].

Unit 42 says Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this vulnerability ^[27]. That does not remove the need to audit firewall deployments, especially where Captive Portal has ever been exposed to untrusted IP addresses ^[26][27].

Immediate action plan

Federal agency response

For U.S. federal agencies covered by CISA KEV/BOD 22-01, this should be handled as a compliance-driven emergency, not only as a vendor patch ticket. CVE-2026-0300 was added to CISA's Known Exploited Vulnerabilities database on May 6, 2026 ^[9], and federal agencies are directed to remediate KEV-listed vulnerabilities under BOD 22-01 ^[16].

Agency teams should maintain an evidence trail for affected-asset discovery, portal restriction or disablement, patch status, fixed PAN-OS version, validation that no untrusted network path remains, and compromise assessment for any firewall that was exposed.

If you cannot patch immediately

Keep mitigations in place until the correct fixed version is available for the affected branch. If the business cannot tolerate disabling Captive Portal, restrict access to trusted internal IP ranges and monitor the deployment closely. If neither patching nor reliable restriction is possible, isolate the firewall from untrusted access or remove the exposed service until remediation is complete; the remaining exposure is network-reachable, unauthenticated, and already reported as exploited ^[9][10][15].

Mistakes to avoid

• Do not wait for routine maintenance if the portal is exposed to the internet or untrusted networks; public exposure is the highest-risk configuration ^[7][26].
• Do not treat internal-only restriction as a permanent fix. It lowers risk, but affected devices still need the appropriate PAN-OS update ^[1][7].
• Do not rely on third-party version tables as the final authority. Use Palo Alto's advisory for the current fixed-version target and vendor status ^[10].
• Do not stop at patching if the firewall was exposed during the exploitation window. Complete a compromise review because successful exploitation can provide root-level code execution on the device ^[10][15].

The minimum safe posture is clear: remove untrusted access to the User-ID Authentication Portal, apply Palo Alto's fixed PAN-OS release as soon as it is available for the deployment, and investigate any exposed firewall before restoring normal trust ^[1][10][18].