CVE-2026-0300

Description

A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.

CVSS Metrics

• v4.0•CRITICAL•Score: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/AU:Y/R:U/V:C/RE:M/U:Red
• v4.0•CRITICAL•Score: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Red
• v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 6.22%• Percentile: 91%

Techniques & Countermeasures

• CWE-787•Out-of-bounds Write

  The product writes data past the end, or before the beginning, of the intended buffer.

Affected Systems

• palo alto networks•pan-os

  ≥ 12.1.0, < 12.1.7 | ≥ 11.2.0, < 11.2.12 | ≥ 11.1.0, < 11.1.15 | ≥ 10.2.0, < 10.2.18-h6

• paloaltonetworks•pan-os

  10.2.0 | 10.2.1 | 10.2.2 | 10.2.3 | 10.2.4 | 10.2.5 | 10.2.6 | 10.2.7 | 10.2.7:h1 | 10.2.7:h12 | 10.2.7:h16 | 10.2.7:h19 | 10.2.7:h21 | 10.2.7:h24 | 10.2.7:h3 | 10.2.7:h32 | 10.2.7:h6 | 10.2.7:h8 | 10.2.8 | 10.2.9 | 10.2.10 | 10.2.10:h10 | 10.2.10:h12 | 10.2.10:h14 | 10.2.10:h17 | 10.2.10:h18 | 10.2.10:h2 | 10.2.10:h21 | 10.2.10:h27 | 10.2.10:h3 | 10.2.10:h30 | 10.2.10:h31 | 10.2.10:h4 | 10.2.10:h5 | 10.2.10:h7 | 10.2.10:h9 | 10.2.11 | 10.2.12 | 10.2.13 | 10.2.13:h1 | 10.2.13:h10 | 10.2.13:h16 | 10.2.13:h18 | 10.2.13:h2 | 10.2.13:h3 | 10.2.13:h4 | 10.2.13:h5 | 10.2.13:h7 | 10.2.14 | 10.2.15 | 10.2.16 | 10.2.16:h1 | 10.2.16:h4 | 10.2.16:h6 | 10.2.17 | 10.2.18 | 10.2.18:h1 | 10.2.18:h5 | 11.1.0 | 11.1.1 | 11.1.2 | 11.1.3 | 11.1.4 | 11.1.4:h1 | 11.1.4:h13 | 11.1.4:h15 | 11.1.4:h16 | 11.1.4:h17 | 11.1.4:h18 | 11.1.4:h25 | 11.1.4:h27 | 11.1.4:h32 | 11.1.4:h4 | 11.1.4:h7 | 11.1.4:h9 | 11.1.5 | 11.1.6 | 11.1.6:h1 | 11.1.6:h10 | 11.1.6:h14 | 11.1.6:h17 | 11.1.6:h19 | 11.1.6:h2 | 11.1.6:h20 | 11.1.6:h21 | 11.1.6:h22 | 11.1.6:h23 | 11.1.6:h25 | 11.1.6:h29 | 11.1.6:h3 | 11.1.6:h4 | 11.1.6:h5 | 11.1.6:h6 | 11.1.6:h7 | 11.1.7 | 11.1.7:h1 | 11.1.7:h2 | 11.1.7:h4 | 11.1.8 | 11.1.9 | 11.1.10 | 11.1.10:h1 | 11.1.10:h10 | 11.1.10:h12 | 11.1.10:h21 | 11.1.10:h4 | 11.1.10:h5 | 11.1.10:h7 | 11.1.10:h9 | 11.1.11 | 11.1.12 | 11.1.13 | 11.1.13:h1 | 11.1.13:h2 | 11.1.13:h3 | 11.1.14 | 11.2.0 | 11.2.1 | 11.2.2 | 11.2.3 | 11.2.4 | 11.2.4:h1 | 11.2.4:h10 | 11.2.4:h11 | 11.2.4:h12 | 11.2.4:h14 | 11.2.4:h15 | 11.2.4:h2 | 11.2.4:h4 | 11.2.4:h5 | 11.2.4:h6 | 11.2.4:h7 | 11.2.4:h8 | 11.2.4:h9 | 11.2.5 | 11.2.6 | 11.2.7 | 11.2.7:h1 | 11.2.7:h10 | 11.2.7:h11 | 11.2.7:h12 | 11.2.7:h2 | 11.2.7:h3 | 11.2.7:h4 | 11.2.7:h7 | 11.2.7:h8 | 11.2.8 | 11.2.9 | 11.2.10 | 11.2.10:h1 | 11.2.10:h2 | 11.2.10:h3 | 11.2.10:h4 | 11.2.10:h5 | 11.2.11 | 12.1.2 | 12.1.3 | 12.1.4 | 12.1.4:h2 | 12.1.4:h3 | 12.1.5 | 12.1.6

• siemens•ruggedcom_ape1808_firmware

  na

References (3)

• https://security.paloaltonetworks.com/CVE-2026-0300
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-0300
• https://cert-portal.siemens.com/productcert/html/ssa-967325.html