Impact statement: PAN-OS CVE-2026-0300 is a critical firewall vulnerability affecting Palo Alto Networks PA-Series and VM-Series firewalls when the User-ID Authentication Portal, also called Captive Portal, is enabled and reachable from untrusted networks. Palo Alto Networks rates it Critical with CVSS 9.3, marks exploit maturity as attacked, and says limited exploitation has been observed against exposed portals.
This is an edge-security emergency because the affected component sits on the network perimeter. If your firewall uses Authentication Portal and that portal can be reached from the internet or another untrusted zone, treat this as urgent: restrict the portal now, disable it if you do not need it, apply Threat Prevention coverage if available, and schedule fixed PAN-OS releases as soon as your supported branch has one.
Who Is Affected
The risk applies to PA-Series and VM-Series firewalls running affected PAN-OS versions when the required exposure configuration is present. Palo Alto’s advisory says Prisma Access, Cloud NGFW, and Panorama appliances are not impacted by this vulnerability.
The highest-risk configuration is:
- User-ID Authentication Portal is enabled.
- A management interface profile with response pages enabled is attached to an L3 interface where internet or other untrusted traffic can arrive.
- The portal is reachable outside trusted internal networks or trusted VPN/admin paths.
Affected PAN-OS Branches
As of May 10, 2026, Palo Alto’s advisory lists the following affected branches and planned fixed releases. Use the vendor advisory as the source of truth before starting a maintenance window, because the release table can change quickly during an active incident.
| PAN-OS branch | Affected before | Fixed releases listed by Palo Alto |
|---|---|---|
| 12.1 | 12.1.4-h5 and 12.1.7 paths | 12.1.4-h5, 12.1.7 |
| 11.2 | 11.2.4, 11.2.7, 11.2.10, and 11.2.12 paths | 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, 11.2.12 |
| 11.1 | 11.1.4, 11.1.6, 11.1.7, 11.1.10, 11.1.13, and 11.1.15 paths | 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15 |
| 10.2 | 10.2.7, 10.2.10, 10.2.13, 10.2.16, and 10.2.18 paths | 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6 |
What To Do Right Now
- Confirm whether Authentication Portal is enabled. In the firewall GUI, check Device > User Identification > Authentication Portal Settings.
- Confirm where response pages are enabled. In the GUI, check Network > Interface, select the relevant interface, then review the advanced management interface profile settings.
- Remove untrusted reachability. Restrict Authentication Portal access to trusted internal zones only, and remove response-page exposure from interfaces that receive internet or other untrusted traffic.
- Disable Authentication Portal if it is not required. This is the cleanest mitigation for environments that do not actively use it.
- Apply Threat Prevention coverage if available. Palo Alto says customers with a Threat Prevention subscription can block attacks for this vulnerability with Threat ID 510019 from Applications and Threats content version 9097-10022. PAN-OS 11.1 or later is required for that Threat ID support.
- Plan the PAN-OS update. Track the fixed release for your branch, read the release notes, back up configuration, and patch in a controlled maintenance window.
Safe Version Checks
These checks do not validate the vulnerability against a target. They only help an administrator identify the local firewall branch, HA state, and update posture.
show system info | match sw-version
show system info | match model
show high-availability state
show jobs all
For Panorama-managed fleets, inventory every managed firewall, including lab, standby, remote-office, and VM-Series devices. Do not assume the high-availability peer, spare unit, or cloud-hosted firewall is on the same release as the active unit.
Patch Planning For HA Pairs And Hosting Networks
If this firewall protects hosting, customer VPN, management, RDP, SSH, mail, or control-panel traffic, plan the change like an edge maintenance event, not like a routine desktop update.
- Export a named configuration snapshot and device state before making changes.
- Confirm HA health before the upgrade, including peer state, interface health, route health, and session synchronization.
- Apply the mitigation first so exposure is reduced before the full PAN-OS update is available or installed.
- Upgrade the passive peer first, confirm it returns cleanly, then fail over during the planned window and upgrade the second peer.
- After both units are patched, verify PAN-OS version, dynamic content version, HA state, VPN tunnels, NAT, security policy hits, logging, and monitoring alerts.
Logs And Review Items
Because the vendor and CISA both treat this as active-attack risk, do a defensive review after mitigation. Keep it practical and focused:
- Review traffic and threat logs for unusual access to Authentication Portal from untrusted networks.
- Review system logs for unexpected restarts, configuration changes, HA events, or content update failures.
- Review administrator accounts, API keys, Panorama pushes, and recent commits for changes nobody can explain.
- Check VPN, directory, and firewall-integrated identity logs for unusual authentication flow around the exposure window.
- If anything looks wrong, preserve evidence, isolate management access, rotate affected credentials, and open a vendor or incident-response case.
Customer Communication
For MSPs, hosting providers, and businesses with customer-facing systems behind Palo Alto firewalls, the customer message should stay calm and specific:
- A critical PAN-OS firewall issue is under active mitigation.
- The risky portal exposure is being restricted or disabled before the full software update path is completed.
- A maintenance window may briefly affect VPN, routing, or edge-filtering availability during HA failover or reboot.
- After the window, the team will verify firewall version, HA status, VPNs, security policies, and logs.
Fix I.T. Phill Guidance
Do not wait for every fixed build if your Authentication Portal is exposed. The correct defensive order is mitigation first, patch second, verification third. If you do not use Authentication Portal, disable it. If you do use it, keep it reachable only from trusted internal paths and remove response-page exposure from untrusted interfaces.
For hosting networks, also check the systems behind the firewall after the edge is secured. A firewall compromise can create downstream risk for management jump boxes, domain controllers, backup systems, control panels, and customer workloads. The firewall patch is the start of the cleanup, not the entire cleanup.
Sources
- Palo Alto Networks Security Advisory for CVE-2026-0300
- NVD entry for CVE-2026-0300, including CISA KEV details
- CISA Known Exploited Vulnerabilities Catalog search for CVE-2026-0300
- Unit 42 threat brief for CVE-2026-0300
- BleepingComputer coverage of PAN-OS CVE-2026-0300 exploitation
- Help Net Security coverage of PAN-OS CVE-2026-0300