PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal
Act NowCVSS 9.3CVE-2026-0300May 5, 2026
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
A buffer overflow vulnerability in the User-ID Authentication Portal (Captive Portal) service of Palo Alto Networks PAN-OS allows an unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets. The vulnerability is exploitable from any network that can reach the portal service. Risk is significantly reduced if the portal is restricted to trusted internal IP addresses per Palo Alto Networks best practices.
What this means
What could happen
An unauthenticated attacker can execute arbitrary code with root privileges on your Palo Alto Networks firewall by exploiting a buffer overflow in the User-ID Authentication Portal, potentially allowing complete control of firewall traffic and access policies.
Who's at risk
Organizations running Palo Alto Networks PA-Series or VM-Series firewalls with the User-ID Authentication Portal (Captive Portal) enabled. This affects any environment using these firewalls for network access control or user authentication. Prisma Access, Cloud NGFW, and Panorama appliances are not affected.
How it could be exploited
An attacker sends specially crafted packets to the User-ID Authentication Portal (Captive Portal) service, which is exposed to untrusted networks. The malformed input triggers a buffer overflow in the portal service, allowing the attacker to inject and execute arbitrary code with root privileges on the firewall appliance.
Prerequisites
- Network access to the User-ID Authentication Portal (typically port 443 or 8443)
- Portal must be reachable from the attacker's network
- No authentication credentials required
Remotely exploitableNo authentication requiredCritical severity (CVSS 9.3)Low complexity attackAffects firewall—impacts all downstream network security decisions
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
PAN-OSBelow 12.1.4-h512.1.4-h5 (ETA: 05/13)+
PAN-OSBelow 12.1.712.1.7 (ETA: 05/28)+
Prisma AccessBelow 11.2.4-h1711.2.4-h17 (ETA: 05/28)+
Prisma AccessBelow 11.2.7-h1311.2.7-h13 (ETA: 05/13)+
Prisma AccessBelow 11.2.10-h611.2.10-h6 (ETA: 05/13)+
Prisma AccessBelow 11.2.1211.2.12 (ETA: 05/28)+
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDRestrict User-ID Authentication Portal access to only trusted internal IP addresses or zones per Palo Alto Networks guidelines
WORKAROUNDDisable the User-ID Authentication Portal if it is not required for your operations
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
PAN-OS
HOTFIXUpdate PAN-OS to 12.1.4-h5 or later (if running 12.1.4 and below) or 12.1.7 or later (if running 12.1.5-12.1.6)
Prisma Access
HOTFIXUpdate Prisma Access to the latest patched version: 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, or 11.2.12 depending on your current deployment
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/32942078-2c3d-4905-9929-5d0780cb8be4Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.