**Palo Alto Networks** warned customers today that a critical-severity unpatched vulnerability in the PAN-OS User-ID Authentication Portal is being exploited in attacks. ### Understanding the Vulnerability The User-ID Authentication Portal, also known as the Captive Portal, is a PAN-OS security feature that authenticates users whose identities cannot be automatically mapped by the firewall. This feature is crucial for maintaining network security by ensuring only authorized users gain access. Tracked as **CVE-2026-0300**, this zero-day bug stems from a buffer overflow weakness. Specifically crafted packets can be leveraged by unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls. "Limited exploitation has been observed targeting **Palo Alto Networks** User-ID™ Authentication Portals that are exposed to untrusted IP addresses and/or the public internet," **Palo Alto Networks** said in a Wednesday advisory. ### Mitigation Steps **Palo Alto Networks** is advising customers to implement immediate mitigation steps. "Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks are at a greatly reduced risk." Until a patch is available, **Palo Alto Networks** "strongly" recommends securing the User-ID Authentication Portal by restricting access to trusted zones only or disabling the portal if restriction is not feasible. To check if your firewalls are configured to use the vulnerable service, navigate to Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal within the PAN-OS interface. ### Exposure on the Internet Currently, **Shadowserver** is tracking over 5,800 PAN-OS VM-series firewalls exposed online, with a significant concentration in Asia (2,466) and North America (1,998).  *VM-series firewalls exposed online (Shadowserver)* ### A History of Exploitation PAN-OS firewalls have been a recurring target for attackers, often exploiting zero-day vulnerabilities. In November 2024, **Shadowserver** reported thousands of firewalls compromised by chaining two PAN-OS zero-days. A month later, another PAN-OS DoS flaw was exploited, forcing firewalls to reboot and disable protections. In February, attackers abused three other PAN-OS flaws to compromise firewalls with internet-facing management interfaces. **Palo Alto Networks** products and services are used by over 70,000 customers worldwide, including 90% of Fortune 10 companies and most of the largest U.S. banks, making this a high-impact vulnerability. --- *Update May 06, 11:45 EDT:* **Palo Alto Networks** provided the following statement after the article was published: "This vulnerability is specific to a limited number of customers with their User-ID Authentication Portal (Captive Portal) exposed to the public internet or untrusted IP addresses. We have observed limited exploitation of this issue and are working to release software fixes, with the first updates expected to be available on May 13, 2026," the company told BleepingComputer. "We have provided clear mitigation guidance to our customers to secure their environments immediately. This issue does not impact Cloud NGFW or Panorama appliances. We remain committed to a transparent, security-first approach to protect our global customer base." <a rel="noopener nofollow" href="https://hubs.li/Q04crVgD0"><img alt="article image" src="https://www.bleepstatic.com/c/p/autonomous-validation2.jpg"></a> ## <a rel="noopener nofollow" href="https://hubs.li/Q04crVgD0">99% of What Mythos Found Is Still Unpatched.</a> AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 &amp; 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. <a rel="noopener nofollow" href="https://hubs.li/Q04crVgD0">Claim Your Spot</a>