CVE-2026-0300

This is a weakness in a “sign-in/portal” feature on certain Palo Alto Networks network security devices. An attacker can send specially crafted network messages to overwhelm the portal’s memory handling, potentially causing the device to run attacker-controlled code as root. Think of it like a gate that’s supposed to check visitors, but a malicious visitor finds a way to break the gate’s internal “guard rails” and take control.

This matters to you if you use or run Palo Alto Networks PAN-OS on PA-Series or VM-Series firewalls that have the User-ID™ Authentication Portal enabled and reachable. It also affects the Siemens ruggedcom ape1808 firmware. Prisma Access, Cloud NGFW, and Panorama appliances are not impacted by this vulnerability.

This is RED because it’s critical and there are signs it’s being prioritized by attackers: it’s listed in CISA KEV (“known exploited in the wild”) and a public exploit exists. The estimated chance of exploitation in the next 30 days is high, so you should treat this as an urgent emergency patching issue, even though press reports say exploitation status is not yet confirmed in all environments.

1. Check with your IT/network admin whether your PA-Series or VM-Series running PAN-OS has the User-ID™ Authentication Portal (Captive Portal) exposed to networks beyond your trusted internal IPs.
2. Patch immediately to the fixed PAN-OS version(s) your vendor provides for CVE-2026-0300.
3. If you can’t patch immediately, restrict access to the User-ID™ Authentication Portal to only trusted internal IP addresses per Palo Alto Networks best practices.