CVE-2026-0300: What Palo Alto PAN-OS Firewall Admins Should Do Now

The advisory characteristics are the kind security teams prioritize first: network attack vector, low attack complexity, no privileges required, no user interaction, no attack requirements, and automatable exploitation ^[10]. Unit 42 says it is aware of limited exploitation and is tracking a likely state-sponsored activity cluster exploiting the vulnerability ^[15]. The Canadian Centre for Cyber Security also reported that Palo Alto received active-exploitation reports and that CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities catalog on May 6, 2026 ^[9].

Limited exploitation does not make this safe to defer. The Center for Internet Security says exploitation has targeted User-ID Authentication Portals exposed to untrusted IP addresses or the public internet, while customers restricting sensitive portals to trusted internal networks are at greatly reduced risk ^[26]. Unit 42 similarly says unauthenticated RCE risk is significantly elevated when the portal is exposed to the public internet or untrusted networks ^[27].

Systems to triage first

Start with Palo Alto Networks PA-Series and VM-Series firewalls running PAN-OS where the User-ID Authentication Portal/Captive Portal is enabled ^[15][18]. Public reporting on Palo Alto’s scoring notes a CVSS score of 9.3 when the portal is configured for internet or untrusted-network access, dropping to 8.7 when access is restricted to trusted internal IP addresses ^[7]. Lower risk is not the same as remediated risk: internally restricted systems still need the vendor-recommended update path ^[1][10].

Unit 42 says Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this vulnerability ^[27]. That helps narrow the triage list, but it should not replace an audit of PA-Series and VM-Series firewall deployments, especially any environment where Captive Portal has been exposed to untrusted IP addresses ^[26][27].

Immediate action plan for PAN-OS admins

1. Find every User-ID Authentication Portal deployment

Inventory PAN-OS firewalls and identify which PA-Series and VM-Series devices have the User-ID Authentication Portal/Captive Portal enabled ^[15][18]. For each one, record whether the portal is reachable from the internet, from any untrusted network, or only from trusted internal IP ranges. Treat public or untrusted reachability as the highest-priority condition because that is where exploitation risk is elevated ^[26][27].

2. Restrict or disable portal access now

Restrict the User-ID Authentication Portal to trusted internal networks only. If that cannot be done reliably, disable portal access until the device can be remediated. Singapore’s Cyber Security Agency advises users and administrators of affected versions to restrict or disable portal access until security updates are available ^[18].

3. Patch from Palo Alto’s advisory, not from copied version tables

CERT-EU recommends updating affected appliances as soon as patches are available while applying workarounds and mitigations in the meantime ^[1]. Use Palo Alto Networks’ CVE-2026-0300 advisory as the authoritative source for current affected-version and fixed-version guidance for your PAN-OS branch ^[10].

4. Validate exposure controls after patching

Do not assume that a software update alone fixes the deployment risk. After patching, confirm that the User-ID Authentication Portal is not reachable from the public internet or untrusted networks unless a documented business requirement exists and compensating controls are in place. Restricting sensitive portals to trusted internal networks is described as a best-practice posture that greatly reduces risk ^[26][27].

5. Investigate any firewall that was exposed

Any affected firewall with a portal exposed to untrusted networks should get a compromise assessment before returning to normal trust. Preserve logs, review portal traffic, check for unexpected configuration changes, and look for post-exploitation activity. The reason is straightforward: successful exploitation can provide unauthenticated root-level code execution on the firewall ^[10][15][18].

Federal agencies: handle it as a KEV-driven emergency

For U.S. federal teams covered by CISA KEV processes, CVE-2026-0300 is not only a vendor advisory. The Canadian Centre for Cyber Security reports that CISA added the vulnerability to the KEV catalog on May 6, 2026 ^[9], and current reporting notes that federal agencies are directed to remediate KEV-listed vulnerabilities under BOD 22-01 ^[16].

Agency teams should maintain an evidence trail for asset discovery, portal restriction or disablement, patch status, fixed PAN-OS version validation, proof that no untrusted network path remains, and compromise assessment for any firewall that was exposed.

If you cannot patch immediately

Keep mitigations in place until the correct fixed release is available and installed for the affected deployment. If the business cannot tolerate disabling Captive Portal, restrict access to trusted internal IP ranges and monitor closely. If neither patching nor reliable restriction is possible, isolate the firewall from untrusted access or remove the exposed service until remediation is complete. The residual exposure is network-reachable, unauthenticated, automatable, and already reported as exploited ^[9][10][18].

Mistakes to avoid

• Do not wait for routine maintenance if the portal is exposed to the internet or an untrusted network; that is the highest-risk configuration described in the available advisories ^[26][27].
• Do not treat internal-only restriction as a permanent fix. It lowers risk, but affected devices still need the appropriate PAN-OS remediation path ^[1][7].
• Do not rely on third-party fixed-version lists as the final authority. Use Palo Alto’s advisory for current vendor status and version guidance ^[10].
• Do not stop at patching if the firewall was exposed during the exploitation period. Complete a compromise review because the flaw can allow code execution with root privileges ^[10][15][18].

The minimum safe posture is clear: remove untrusted access to the User-ID Authentication Portal, follow Palo Alto’s advisory for patching, and investigate any exposed firewall before restoring normal trust ^[1][10][18].