Palo Alto Networks has confirmed that CVE-2026-0300, a critical buffer overflow in the User-ID Authentication Portal (also known as the Captive Portal) of PAN-OS, is being actively exploited in the wild. The flaw lets an unauthenticated attacker run code as root on PA-Series and VM-Series firewalls by sending specially crafted packets. CISA added it to the Known Exploited Vulnerabilities catalog on 6 May, with a federal patch deadline of 9 May, as reported by BleepingComputer.

If your Palo Alto firewall has the User-ID Authentication Portal enabled and reachable from the internet, you should treat this as urgent. The CVSS score sits at 9.3 when the portal is exposed externally, and the vulnerability gives root-level remote code execution — the worst possible outcome for a perimeter device. Prisma Access, Cloud NGFW and Panorama appliances are not affected, but most Australian SMBs running on-prem or cloud-hosted PA-Series or VM-Series firewalls are squarely in scope.

Patches are due to begin rolling out from 13 May, with a second round on 28 May. Until then, the practical mitigation is to restrict User-ID Authentication Portal access to trusted internal zones only, and to disable Response Pages on any L3 interface that handles untrusted or internet traffic. If you don’t actually use the Captive Portal, turn it off. Don’t wait for the patch — the exploit is already in use.

Not sure whether your firewall is exposed? Our cybersecurity team can audit your perimeter configuration and apply the recommended mitigations before the patch ships. Worth a quick check this week.