Palo Alto Networks has warned customers about a critical unpatched zero-day vulnerability in its PAN-OS User-ID Authentication Portal that is already being exploited in real-world attacks.
Tracked as CVE-2026-0300, the flaw affects the PAN-OS User-ID Authentication Portal, also known as the Captive Portal, a feature used to authenticate users whose identities cannot automatically be mapped by the firewall. The vulnerability is caused by a buffer overflow issue that allows unauthenticated attackers to execute arbitrary code with root privileges on internet-exposed PA-Series and VM-Series firewalls using specially crafted packets.
According to Palo Alto Networks, the attacks are currently limited but are specifically targeting User-ID Authentication Portals exposed to untrusted IP addresses or the public internet. The company said organizations that follow security best practices, such as restricting sensitive portals to trusted internal networks, face significantly lower risk.
Security monitoring organization Shadowserver says more than 5,800 PAN-OS VM-Series firewalls are currently exposed online, with most systems located in Asia and North America. Administrators can check whether the vulnerable service is enabled by navigating to Device > User Identification > Authentication Portal Settings and verifying whether the “Enable Authentication Portal” option is active.
At the moment, no patch is available. Palo Alto Networks strongly recommends restricting access to the User-ID Authentication Portal to trusted zones only or disabling the feature entirely until security updates are released.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
