Source: The Hacker News
Author: info@thehackernews.com (The Hacker News)
URL: https://thehackernews.com/2026/05/palo-alto-pan-os-flaw-under-active.html
[‘## ONE SENTENCE SUMMARY:\nPalo Alto Networks warns CVE-2026-0300 enables unauthenticated root RCE via PAN-OS Captive Portal, exploited, unpatched until May 13, 2026.\n\n## MAIN POINTS:\n1. Palo Alto Networks issued an advisory for a critical PAN-OS buffer overflow vulnerability. \n2. CVE-2026-0300 allows unauthenticated remote code execution with root privileges. \n3. Exploitation occurs through specially crafted packets targeting the User-ID Authentication Portal. \n4. CVSS is 9.3 when the portal is internet/untrusted-network accessible. \n5. Severity drops to 8.7 if access is restricted to trusted internal IPs. \n6. Palo Alto observed limited in-the-wild exploitation against publicly exposed portals. \n7. Affected platforms include PA-Series and VM-Series firewalls using the portal. \n8. Impacted PAN-OS branches span 10.2, 11.1, 11.2, and 12.1 before listed fixed builds. \n9. No patch is currently available; fixes are planned starting May 13, 2026. \n10. Recommended mitigations are restricting portal access to trusted zones or disabling it. \n\n## TAKEAWAYS:\n1. Internet-exposed Captive Portal configurations materially increase risk of full device compromise. \n2. Unauthenticated root-level RCE demands immediate defensive configuration changes, not waiting for patches. \n3. Validate whether User-ID Authentication Portal is enabled across PA/VM fleets and identify exposures. \n4. Prioritize upgrading to upcoming fixed releases once available across all impacted PAN-OS versions. \n5. Enforcing least-exposure best practices for management/sensitive portals reduces exploitability significantly.’]