Palo Alto Networks has launched an advisory warning {that a} essential buffer overflow vulnerability in its PAN-OS software program has been exploited within the wild.
The vulnerability, tracked as CVE-2026-0300, has been described as a case of unauthenticated distant code execution. It carries a CVSS rating of 9.3 if the Consumer-ID Authentication Portal is configured to allow entry from the web or any untrusted community. The severity comes down to eight.7 if entry to the portal is restricted to solely trusted inner IP addresses.
“A buffer overflow vulnerability within the Consumer-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software program permits an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Collection and VM-Collection firewalls by sending specifically crafted packets,” the corporate mentioned.
In response to Palo Alto Networks, the vulnerability has come underneath “restricted exploitation,” particularly concentrating on situations the place the Consumer-ID Authentication Portal has been left publicly accessible. The next variations are impacted by the flaw –
- PAN-OS 12.1 – < 12.1.4-h5, < 12.1.7
- PAN-OS 11.2 – < 11.2.4-h17, < 11.2.7-h13, < 11.2.10-h6, < 11.2.12
- PAN-OS 11.1 – < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15
- PAN-OS 10.2 – < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6
The problem, because it stands, is unpatched, with Palo Alto Networks planning to launch fixes beginning Could 13, 2026. The corporate additionally mentioned the vulnerability is relevant solely to PA-Collection and VM-Collection firewalls which might be configured to make use of the Consumer-ID Authentication Portal.
“Prospects following customary security finest practices, similar to limiting delicate portals to trusted inner networks are at a tremendously diminished threat,” it added.
Within the absence of a patch, customers are suggested to both limit Consumer-ID Authentication Portal entry to solely trusted zones, or disable it fully, if it isn’t required.
