CVE-2026-0300: Palo Alto PAN-OS Zero-Day Gives Attackers Root on Your Perimeter Firewall

On May 6, 2026, Palo Alto Networks disclosed CVE-2026-0300—a buffer overflow vulnerability in the User-ID Authentication Portal (Captive Portal) of PAN-OS that allows an unauthenticated attacker to execute arbitrary code with root privileges. Hours later, CISA added it to the Known Exploited Vulnerabilities catalog with a three-day remediation deadline. For any Saudi financial institution running PA-Series or VM-Series firewalls at the network perimeter, this is not a theoretical risk—it is an active threat demanding immediate action.

How CVE-2026-0300 Works: From Two Packets to Full Root Access

The vulnerability resides in the way PAN-OS parses authentication requests within the User-ID Authentication Portal service. When a firewall is configured to use Captive Portal for user identification—a common deployment in enterprises enforcing identity-based security policies—the portal listens for HTTP and HTTPS connections from endpoints that have not yet authenticated.

An attacker can craft a specially formed authentication packet that overflows an internal buffer in the portal's parsing logic. Because the portal service runs with root-level privileges on PAN-OS, successful exploitation grants the attacker complete control over the firewall appliance. No valid credentials, no VPN tunnel, no prior foothold is required. If the portal is reachable, the firewall is vulnerable.

Palo Alto Networks assigned a CVSS score of 9.3 when the portal is exposed to the internet or untrusted networks, and 8.7 when access is restricted to trusted internal IP addresses. Both scores place the vulnerability firmly in the critical category.

Affected Versions and Patch Timeline

The vulnerability impacts a wide range of PAN-OS releases across the 10.2, 11.1, 11.2, and 12.1 branches. Specifically, PAN-OS 12.1 versions prior to 12.1.4-h5 and 12.1.7, PAN-OS 11.2 versions prior to 11.2.4-h17 and 11.2.12, PAN-OS 11.1 versions prior to 11.1.4-h33 and 11.1.15, and PAN-OS 10.2 versions prior to 10.2.7-h34 and 10.2.18-h6 are all affected. Prisma Access, Cloud NGFW, and Panorama appliances are not impacted.

Palo Alto Networks began releasing fixed builds on May 13, 2026, with a second wave of patches scheduled for May 28. This creates a dangerous patch gap—organizations that cannot immediately upgrade must rely on mitigations to reduce exposure during the interim period.

Active Exploitation in the Wild

Limited but confirmed exploitation has been observed targeting User-ID Authentication Portals exposed to the public internet. Threat intelligence from Wiz, Rapid7, and Arctic Wolf confirms that attackers are actively scanning for vulnerable portals and attempting exploitation. The attack chain is straightforward: identify an exposed Captive Portal endpoint, send the crafted overflow payload, and gain a root shell on the firewall.

What makes this particularly dangerous is the position of the compromised asset. A firewall with root-level access gives an attacker the ability to intercept all traffic passing through the device, modify security policies to create persistent backdoors, pivot into internal network segments, disable logging and alerting to cover their tracks, and extract VPN configurations and credentials stored on the appliance. For a financial institution, a compromised perimeter firewall is equivalent to handing an attacker the keys to the entire network.

Direct Impact on Saudi Financial Institutions

Palo Alto Networks firewalls are among the most widely deployed perimeter security devices in Saudi Arabia's financial sector. Banks, insurance companies, fintech firms, and payment processors regulated by SAMA rely heavily on PA-Series appliances for network segmentation, threat prevention, and user identification—the exact feature vector targeted by CVE-2026-0300.

SAMA's Cyber Security Common Controls (CSCC) framework explicitly mandates robust perimeter defense and network segmentation under Domain 3 (Cyber Security Operations and Technology). A compromised firewall directly violates the control objectives for network security monitoring, access control enforcement, and security event logging. Beyond CSCC, the NCA Essential Cybersecurity Controls (ECC) require organizations to maintain vulnerability management processes that address critical vulnerabilities within defined SLAs—typically 48 hours for actively exploited flaws of this severity.

Under PDPL, a compromised firewall that leads to unauthorized access to customer data triggers mandatory breach notification obligations. The reputational and regulatory consequences for a SAMA-regulated entity that suffers a breach through a known, actively exploited vulnerability with available mitigations would be severe.

Recommended Mitigation and Response Actions

1. Audit User-ID Portal exposure immediately. Identify every PA-Series and VM-Series firewall in your environment with the User-ID Authentication Portal enabled. Determine whether the portal is accessible from untrusted networks or the internet. If it is, restrict access to trusted internal IP addresses as an emergency mitigation.
2. Apply patches as they become available. Monitor Palo Alto Networks security advisories for your specific PAN-OS version. Schedule emergency maintenance windows to deploy fixes as soon as they are released for your branch. Do not wait for the next regular patching cycle.
3. Hunt for indicators of compromise. Review firewall logs for unusual authentication portal activity, unexpected process execution, or configuration changes that were not authorized through your change management process. Pay particular attention to any signs of lateral movement originating from the firewall's management interface.
4. Implement network-level controls. Place Web Application Firewall (WAF) rules or IPS signatures in front of exposed portals to filter malformed authentication packets. If your organization uses Threat Prevention subscriptions, ensure signatures for CVE-2026-0300 are deployed and enforced.
5. Activate your incident response plan. If you discover any evidence of exploitation, treat it as a confirmed breach. Isolate the affected firewall, preserve forensic evidence, and engage your incident response team. Under SAMA CSCC, reportable cyber incidents must be communicated to the regulator within the prescribed timeframe.
6. Review your vulnerability management SLAs. This event is a stress test for your patching process. If your organization cannot respond to an actively exploited critical vulnerability within 48 hours, your vulnerability management program needs recalibration to meet NCA ECC and SAMA CSCC expectations.

Conclusion

CVE-2026-0300 is a stark reminder that perimeter security devices themselves can become the attack surface. When the firewall protecting your network becomes the entry point for attackers, every asset behind it is at risk. Saudi financial institutions must treat this vulnerability with the urgency it demands—audit exposure, apply mitigations immediately, patch as soon as builds are available, and hunt for signs of compromise.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and ensure your perimeter defenses meet regulatory expectations before the next zero-day lands.