Our CVE of the Week is about PAN-OS, which is the specialized operating system that powers all Palo Alto Networks next-generation firewalls (physical, virtual, and cloud). It provides complete visibility and control over network traffic by identifying users, applications, and content, and leverages machine learning to prevent known and unknown threats.

Critical vulnerability has been found with the CVSS score of 9.3 in CVE-2026-0300 in PAN-OS.

A buffer overflow vulnerability was found in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. No user interaction required.

What is a buffer overflow and why is this vulnerability critical

Buffer overflow is a common software vulnerability that occurs when a program writes more data to a memory buffer than it is designed to hold. Because the buffer has a fixed capacity, the extra data “overflows” into adjacent memory locations, causing data corruption, program crashes, or security vulnerabilities. The exploit is often done by carefully crafting input that, when it overflows, overwrites a program’s return address – the instruction that tells the program where to go next.

Palo also disclosed that they were aware of only limited exploitation of CVE-2026-0300 at this time. There were unsuccessful exploitation attempts against a PAN-OS device since April 9, 2026.
A week later, the attackers successfully achieved RCE against the device and injected shellcode. Following the compromise, the attackers immediately conducted log cleanup to mitigate detection by clearing crash kernel messages, deleting nginx crash entries and nginx crash records, as well as removing crash core dump files.

How can we mitigate this vulnerability?

The risk of this issue is greatly reduced if you secure access to the User-ID Authentication Portal per the best practice guidelines by restricting access to only trusted internal IP addresses.
Palo Alto also stated that other products like Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.

For more information please visit the Palo Alto’s official statement about the vulnerability:
https://security.paloaltonetworks.com/CVE-2026-0300
https://unit42.paloaltonetworks.com/captive-portal-zero-day/
https://thehackernews.com/2026/05/pan-os-rce-exploit-under-active-use.html

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024 and 2025.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.

Week 19 – Shield Down: Critical PAN-OS Flaw Exposed

04 – 10 May 2026

What is a buffer overflow and why is this vulnerability critical

How can we mitigate this vulnerability?

Ai EverythingAbu Dhabi EXPO

Women in Tech Global Conference 2026

CyberX – UAE

GITEX AI – Berlin 2026

GITEX AI Europe 2026 – CyAN Ecosystem Partner