CVE-2026-0300: Critical Root-Level RCE in PAN-OS Portals

Security Alert

A critical Remote Code Execution (RCE) vulnerability (CVE-2026-0300) has been identified in the User-ID Authentication Portal of Palo Alto Networks PAN-OS. Exploitation is trivial and allows unauthenticated attackers to gain root-level access to affected firewalls. Patch immediately.

Security researchers have disclosed a catastrophic flaw in how PAN-OS handles authentication tokens in its User-ID portal. The vulnerability, designated as CVE-2026-0300, has a CVSS score of 9.8 and is currently being exploited in the wild by state-sponsored threat actors.

Technical Analysis

The flaw resides in a memory-unsafe parsing logic within the auth-portal daemon. By sending a specially crafted SAML response to the portal, an attacker can trigger a buffer overflow that leads to arbitrary code execution in the context of the root user.

Affected Versions

  • PAN-OS 11.1 prior to 11.1.4
  • PAN-OS 11.0 prior to 11.0.6
  • PAN-OS 10.2 prior to 10.2.11

Immediate Mitigations:

  • Disable the Portal: If not strictly necessary, disable the User-ID Authentication Portal entirely.
  • IP Restrict: Use security policies to restrict access to the portal to known, trusted internal IP addresses.
  • Threat Prevention: Ensure Threat Prevention signatures (ID: 94031) are enabled and set to 'block' mode.

Conclusion

This is a "drop everything and patch" event for network administrators. Given the position of these firewalls as the first line of defense, a compromise here grants attackers a persistent foothold into the core of the enterprise network.