PAN-OS CVE-2026-0300: Critical RCE Threat to SAMA Banks

A new unauthenticated remote code execution flaw in Palo Alto Networks PAN-OS — tracked as CVE-2026-0300 — is being exploited in the wild against internet-exposed firewalls. With a CVSS score of 9.3 and confirmed root-level access, the vulnerability landed in the CISA Known Exploited Vulnerabilities catalog on 6 May 2026, giving Saudi financial institutions a very narrow window to respond before official patches arrive on 13 May.

Inside CVE-2026-0300: Unauthenticated Root RCE on the Perimeter

The flaw lives in the User-ID Authentication Portal (commonly known as the Captive Portal) on PA-Series and VM-Series firewalls. By sending specially crafted packets, an unauthenticated attacker can trigger a buffer overflow and execute arbitrary code as root on the firewall itself. Palo Alto's PSIRT confirmed limited exploitation against deployments where the portal is reachable from untrusted networks. Prisma Access, Cloud NGFW, and Panorama are not affected, but the affected products represent the workhorse perimeter for most Saudi enterprise environments.

What makes this particularly dangerous is the position of the asset. A compromised PAN-OS firewall is not an internal endpoint — it is the trust anchor that segments your DMZ from the internet, terminates GlobalProtect VPN tunnels, and enforces application-layer policy. Root code execution on that device is the cyber equivalent of handing the attacker the master key to your cardholder data environment.

How Attackers Are Operating Pre-Patch

Telemetry shared by Unit 42 and Wiz indicates the activity began as targeted exploitation against User-ID portals exposed to untrusted IP space. Once root is achieved, threat actors have been observed dropping persistence webshells in PAN-OS web directories, harvesting GlobalProtect credentials, and pivoting toward the management plane to add backdoor administrative accounts. The pattern mirrors prior Palo Alto zero-days such as the captive portal abuse documented by Unit 42, where edge-device compromise led directly to data theft inside the enterprise.

This is a textbook example of the pre-CVE and same-day exploitation problem now plaguing edge appliances — the same dynamic seen with Citrix NetScaler, Ivanti Connect Secure, and Fortra GoAnywhere over the past 18 months. By the time a CVE is publicly disclosed, sophisticated operators have often already established footholds.

Impact on SAMA-Regulated Financial Institutions

For Saudi banks, payment service providers, and fintechs, this vulnerability touches several SAMA Cyber Security Framework control families simultaneously. Under the SAMA CSCC, Network Security (3.3.10) and Cryptography (3.3.13) controls require firewalls and VPN concentrators to be hardened, patched within defined SLAs, and segmented from untrusted networks. NCA ECC subdomains 2-5 (Network Security) and 2-13 (Vulnerability Management) impose parallel obligations, while PCI-DSS v4.0 requirements 1.2 and 6.3.3 demand documented remediation of critical vulnerabilities within 30 days — and effectively immediately when active exploitation is confirmed.

If your institution processes cardholder data behind a vulnerable PA-Series firewall and that firewall is compromised, you are not just facing a technical incident. You are facing a reportable breach under the PDPL, a Section 7 disclosure obligation to SAMA, and potential PCI-DSS scope expansion that could trigger a forensic investigation by your acquirer.

Recommended Actions and Practical Steps

1. Inventory every PA-Series and VM-Series firewall running PAN-OS 10.1, 10.2, 11.0, 11.1, or 11.2 and identify any with the User-ID Authentication Portal enabled — search your configurations for "captive-portal" and "authentication-policy" rule references.
2. Apply the immediate workaround: restrict the Authentication Portal to trusted zones only, and disable Response Pages on every Layer-3 interface that touches untrusted traffic. This neutralises the attack vector until patches are available.
3. Hunt for indicators of compromise. Review HTTP request logs to portal interfaces for malformed requests, examine system.log for unexpected process executions, and audit administrative accounts created or modified in the last 30 days.
4. Stage the official PAN-OS patches expected from 13 May 2026 in a non-production environment, then deploy to production within your SAMA CSCC-defined critical patch SLA — typically 72 hours for actively exploited CVEs.
5. Rotate all credentials that may have transited the affected appliance: GlobalProtect user secrets, RADIUS shared secrets, LDAP bind passwords, and any service accounts referenced in User-ID mappings.
6. Open an incident ticket in your SOC even if no compromise is confirmed. Document the assessment, mitigations, and timeline — this evidence is what auditors and SAMA Banking Supervision will ask for in your next review.

Conclusion

CVE-2026-0300 is a stark reminder that the security perimeter itself is now the most contested terrain in financial cybersecurity. For SAMA-regulated institutions, treating edge appliances as set-and-forget infrastructure is no longer defensible — every firewall is an internet-facing application that demands continuous vulnerability management, configuration assurance, and threat hunting.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment covering your perimeter security posture, KEV exposure, and patch governance program.