External risk intelligence
Palo Alto Networks firewalls could allow external attackers to gain full network control.
Palo Alto Networks PAN-OS firewalls with internet-facing User-ID Authentication Portals could allow external attackers to gain full administrative control. This vulnerability is being actively exploited in the wild, posing a severe risk of complete network infrastructure compromise.
CVE-2026-0300
Exposure facts
H – Horizon Alert
A security vulnerability has been identified in the User-ID™ Authentication Portal service within Palo Alto Networks firewalls. This issue could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets to the system. This presents a significant concern, as it potentially grants an attacker full administrative control over affected PA-Series and VM-Series firewalls. Please note that other platforms, such as Prisma Access, Cloud NGFW, and Panorama, are not affected by this vulnerability.
A – Asset Exposure
This issue impacts PA-Series and VM-Series firewalls utilizing the User-ID™ Authentication Portal, potentially compromising the integrity of your network controls. If this portal is configured to be accessible beyond your trusted internal network, it could grant unauthorized parties full admin access to these critical infrastructure devices. Consequently, this vulnerability may allow for unauthorized interference with your managed traffic and overall service availability.
L – Live Threat
This vulnerability is currently included in the CISA Known Exploited Vulnerabilities catalog, confirming active exploitation and targeting in the wild. The flaw allows an unauthenticated attacker to execute arbitrary code with root-level privileges on specific firewall systems. Given the confirmed evidence of live exploitation, this represents a significant security signal.
O – Operational Fix
Please prioritize securing your User-ID Authentication Portal service on affected PA-Series and VM-Series firewalls. The recommended approach is to restrict access to this portal to trusted internal IP addresses only. If this service is not currently required for your operations, you should disable it to mitigate risk, while ensuring your team continues to monitor official vendor guidance for further updates.