Palo Alto Networks warned customers of active exploitation targeting a critical, not yet patched vulnerability in its PAN-OS software, specifically within the User-ID Authentication Portal, also known as the Captive Portal.
The User-ID Authentication Portal is designed to authenticate users whose identities cannot be automatically mapped by the firewall.
The flaw, tracked as CVE-2026-0300, is an out-of-bounds issue that allows unauthenticated attackers to execute arbitrary code with root privileges. It affects Internet-exposed PA-Series and VM-Series firewalls and can be triggered via specially crafted network packets.
“Limited exploitation has been observed targeting Palo Alto Networks User-ID Authentication Portals that are exposed to untrusted IP addresses and/or the public internet. Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks are at a greatly reduced risk,” PAN’s security advisory says.
According to internet monitoring organization Shadowserver, more than 5,800 PAN-OS VM-Series firewalls are currently exposed online. The majority are located in Asia and North America.
The vendor advises administrators to review their configurations as soon as possible to determine whether the Authentication Portal is enabled. This setting can be found under: Device > User Identification > Authentication Portal Settings > Enable Authentication Portal.
Until a patch is out, the company strongly recommends restricting access to the portal to trusted network zones or disabling the feature entirely if restrictions cannot be enforced.