Computer Works Computer Works
Call
Cybersecurity

Palo Alto Firewall Flaw CVE-2026-0300: Exploit Code Is Public and Patches Are Coming May 13 — Here's What to Do Now

Exploit code for the critical CVE-2026-0300 buffer overflow in Palo Alto PAN-OS is now public, CISA has ordered federal agencies to act by Saturday, and patches begin rolling out May 13. Here's what small businesses need to know right now.

Palo Alto Firewall Flaw CVE-2026-0300: Exploit Code Is Public and Patches Are Coming May 13 — Here's What to Do Now

Update note: We covered the initial disclosure of this vulnerability earlier this week. Since then, the situation has escalated significantly: exploit code has been publicly released, CISA has issued an emergency federal directive, and Palo Alto Networks has published a detailed patch timeline. Here's everything that's changed and what you need to do right now.

If your business is running a Palo Alto Networks firewall, this week just got a lot more urgent. What started as a newly disclosed vulnerability is now a fully active, publicly exploitable crisis — and regulators are treating it that way too.

What Happened: The Short Version

Palo Alto Networks has confirmed that CVE-2026-0300, a critical buffer overflow vulnerability in its PAN-OS software, is being actively exploited in the wild. The flaw carries a CVSS severity score of 9.3 out of 10 when the affected portal is exposed to the internet — one of the highest possible ratings a vulnerability can receive.

What makes this week's situation more dangerous than Tuesday's initial reports: according to The Record, exploit code was publicly released, triggering a wave of exploitation attempts by multiple threat actors almost immediately after. Once exploit code goes public, the window between "vulnerability disclosed" and "your network is compromised" shrinks dramatically.

What the Flaw Actually Does

This isn't a garden-variety software bug. Security Affairs explains it clearly: CVE-2026-0300 is a buffer overflow in the User-ID Authentication Portal (also called the Captive Portal) service of PAN-OS. An unauthenticated attacker — meaning someone with zero credentials — can send specially crafted network packets to execute arbitrary code with root privileges on affected firewalls.

In plain English: if your firewall's authentication portal is reachable from the internet and you haven't applied mitigations, an attacker can potentially take full control of your firewall without ever logging in. From there, they can intercept traffic, pivot deeper into your network, or disable your security controls entirely.

The attack is specifically targeting the PA-Series and VM-Series firewalls when the User-ID Authentication Portal is configured to be publicly accessible.

Which Versions Are Affected

According to The Hacker News, the following PAN-OS versions are vulnerable:

  • PAN-OS 12.1 — versions below 12.1.4-h5 or 12.1.7
  • PAN-OS 11.2 — versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, or 11.2.12
  • PAN-OS 11.1 — versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, or 11.1.15
  • PAN-OS 10.2 — versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, or 10.2.18-h6

Notably, Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this vulnerability.

When Are Patches Coming?

Security Affairs reports that Palo Alto Networks is rolling out patches on a staggered schedule:

  • May 13, 2026 — patches for several versions of PAN-OS 12.1, 11.2, 11.1, and 10.2 (this is the first wave and covers the most widely deployed versions)
  • May 28, 2026 — patches for additional version branches

Incident response firm Rapid7 estimated that patches for many versions would arrive by May 13 — which aligns with Palo Alto's own published timeline. If you're running a version that falls into the May 28 window, you have a longer exposure period and mitigation becomes even more critical.

CISA Is Treating This as an Emergency

The Record reports that the Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation and ordered all U.S. federal agencies to apply Palo Alto's mitigations by Saturday. Federal emergency directives don't get issued for hypothetical threats — this is the government's way of saying the situation is real, active, and urgent.

While that order technically applies to federal agencies, Yuba City small businesses running Palo Alto hardware would be wise to treat the same urgency as a signal.

What You Can Do Right Now (Before the Patch Arrives)

Since patches aren't yet fully available, Palo Alto Networks and security researchers recommend these immediate steps:

1. Check your User-ID Authentication Portal exposure. Log into your firewall management interface and determine whether the User-ID Authentication Portal (Captive Portal) is enabled and whether it's accessible from untrusted networks or the public internet. If it's publicly exposed, that's your most urgent problem.

2. Restrict access to trusted internal IPs only. The Hacker News notes that the CVSS severity score is 8.7 when access to the portal is restricted to only trusted internal IP addresses, compared to 9.3 when exposed to untrusted networks. While still a serious vulnerability at 8.7, restricting the portal to trusted networks meaningfully reduces your attack surface with a configuration change

Recommended
Proton VPN
Proton VPN
Protect your browsing
Proton Mail
Proton Mail
Encrypted email
Related local service
Worried this could be malware?
If your computer has pop-ups, redirects, suspicious downloads, or ransomware warnings, start with our local virus removal page.
Call Us View virus removal
Tags
cybersecurity vulnerability patch-management small-business-it windows-security
← Back to all posts