Critical Palo Alto Firewall Flaw Under Active Attack — How to Check If You're Affected
If your organization runs Palo Alto Networks firewalls, stop what you're doing and read this. A critical vulnerability in PAN-OS — the operating system powering Palo Alto's PA-Series and VM-Series firewalls — is being actively exploited right now, and patches aren't fully available yet.
Here's what you need to know, what to check immediately, and how to protect yourself while you wait for an official fix.
What's the Flaw?
The Hacker News reported on May 6, 2026 that Palo Alto Networks has confirmed active exploitation of CVE-2026-0300, a critical buffer overflow vulnerability in the User-ID Authentication Portal (also known as the Captive Portal) service of PAN-OS software.
The key details:
- CVE ID: CVE-2026-0300
- CVSS Score: 9.3 (when the portal is publicly accessible) / 8.7 (when restricted to trusted internal IPs)
- Attack type: Unauthenticated remote code execution
- Privilege level gained: Root
- Affected hardware: PA-Series and VM-Series firewalls
As Security Affairs explains, an unauthenticated attacker can send specially crafted packets to the User-ID Authentication Portal and execute arbitrary code with root privileges — full control of the device — without needing a username or password of any kind. That's about as bad as it gets for a network security appliance.
The good news — if you can call it that — is that Palo Alto Networks says exploitation has so far been "limited," primarily targeting firewalls where the User-ID Authentication Portal is exposed directly to the public internet or untrusted networks.
Are You Affected? Check Your PAN-OS Version
Not every Palo Alto device is vulnerable. According to the advisory covered by The Hacker News, the vulnerability only affects PA-Series and VM-Series firewalls configured to use the User-ID Authentication Portal. Prisma Access and Cloud NGFW are not affected.
Here are the vulnerable PAN-OS version ranges:
| PAN-OS Version | Vulnerable If Running... |
|---|---|
| 12.1 | < 12.1.4-h5 or < 12.1.7 |
| 11.2 | < 11.2.4-h17, < 11.2.7-h13, < 11.2.10-h6, or < 11.2.12 |
| 11.1 | < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, or < 11.1.15 |
| 10.2 | < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, or < 10.2.18-h6 |
To check your version: Log into your firewall's web interface and navigate to Dashboard > General Information > Software Version, or run show system info in the CLI.
Then ask yourself the critical follow-up question: Is your User-ID Authentication Portal accessible from the internet or an untrusted network? If the answer is yes, your risk is significantly elevated — act immediately.
Patches Aren't Here Yet — But They're Coming
As of this writing, fixes are not yet fully released. According to Security Affairs, Palo Alto Networks is rolling out patches in waves, with the first wave expected May 13, 2026 and additional releases through May 28, 2026.
That means there's a window right now where your firewall may be vulnerable and no official patch is available for your specific version. This is exactly why the interim mitigations below matter so much.
What to Do Right Now (Before the Patch Arrives)
Palo Alto Networks has provided clear guidance on reducing your risk while patches are in progress. Here's a practical checklist:
1. Restrict Portal Access to Trusted Internal IPs Only
This is the single most effective mitigation. According to both The Hacker News and Security Affairs, Palo Alto Networks explicitly states that the CVSS score drops from 9.3 to 8.7 — and the real-world risk drops dramatically — when access is locked down to trusted internal networks only. Go into your security policies and ensure the User-ID Authentication Portal is not reachable from untrusted zones or the public internet.
2. Disable the User-ID Authentication Portal If You Don't Need It
If your organization doesn't actively use Captive Portal / User-ID Authentication, disable it entirely. Per The Hacker News, Palo Alto Networks advises disabling the feature if it isn't required. This eliminates the attack surface completely.
3. Apply the Patch the Moment It's Available for Your Version
Mark May 13 on your calendar. As soon as your version's hotfix lands, apply it. Don't wait a few days to "see how it goes" — active exploitation is already happening.
4. Review Firewall Logs for Anomalous Activity
While Palo Alto Networks has characterized exploitation as "limited," limited doesn't mean zero. Pull your traffic logs and look for:
- Unexpected or repeated connection attempts to the User-ID Authentication Portal from external IP addresses
- Unusual outbound connections from the firewall itself (which could indicate a compromised device calling home)
- Any authentication activity that doesn't match known internal user behavior
5. Check for Signs of Compromise
If you suspect your firewall may have already been targeted, warning signs to look for include:
- Configuration changes you didn't make
- New or unfamiliar admin accounts
- Unexpected traffic routing or policy modifications
- Firewall reboots or crashes around recent dates with no clear cause
If you see any of these and can't explain them, treat the device as potentially compromised and escalate immediately.
Why This Matters for Yuba City Small Businesses
Palo Alto Networks firewalls are common in small and mid-sized business environments — they're considered premium security appliances. The cruel irony here is that the very device meant to protect your network is the one attackers are targeting. Root-level access to a firewall means an attacker can see all your traffic, redirect connections, disable protections, and move freely into your internal network.
If your business runs Palo Alto hardware and you're not sure how to check your version, assess your portal exposure, or apply these mitigations safely, that's exactly the kind of situation where having a knowledgeable IT partner matters. Our team at Computer Works offers business IT support for situations like this — we're happy to help you assess your exposure without the pressure.
The Bottom Line
CVE-2026-0300 is a 9.3-severity, actively exploited, root-level remote code execution flaw in Palo Alto PAN-OS. Patches begin rolling out May 13, 2026. Until then, your most important steps are: restrict the User-ID Authentication Portal to trusted internal IPs, disable it if you don't need it, and watch your logs closely.
Don't assume that because exploitation is currently "limited" it will stay that way. Once a working exploit is in the wild against a high-value target like a firewall, the window between "limited" and "widespread" can close very quickly.
