CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2026-0300

CVSS 9.3v4.0pub. 2026-05-06upd. 2026-05-12

A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Red
  • Palo Alto Networks Pa 1410

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 1420

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 3410

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 3420

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 3430

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 3440

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 410

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 410r

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 410r 5g

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 415

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 415 5g

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 440

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 445

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 450

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 450r

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 450r 5g

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 455

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 455 5g

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 455r 5g

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 460

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 501

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 505

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 510

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 520

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 540

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 5410

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 5420

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 5430

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 5440

    HW
    Paloaltonetworks
    wszystkie wersje
  • Palo Alto Networks Pa 5445

    HW
    Paloaltonetworks
    wszystkie wersje

CISA KEV — detailsi

Vendori
Palo Alto Networks
Producti
PAN-OS
Added to KEVi
May 6, 2026
Remediation deadline (US Federal)i
May 9, 2026(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: - Restrict User-ID Authentication Portal access to only trusted zones. - Disable User-ID Authentication Portal if not required. 5/13/2026: Palo Alto has released a variety of patches. If these are relevant to your environment, please apply the designated patch.

CISA descriptioni

Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 9 maja 2026
Tags
RCEAuth BypassMemoryFirewall
CWE
References

Related vulnerabilities

CVE-2026-24858CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Fortinet – Auth Bypass przez FortiCloud SSO w wielu produktach

CVE-2025-59718CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Fortinet FortiOS/FortiProxy/FortiSwitchManager — Auth Bypass przez SAML

CVE-2024-0012CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Authentication bypass w PAN-OS umożliwiający przejęcie uprawnień administratora

CVE-2024-3400CRITICAL10.0⚠ KEVPL ✓ten sam produkt

RCE jako root w GlobalProtect — command injection w PAN-OS

CVE-2020-2021CRITICAL10.0⚠ KEVten sam produkt

When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider C...