A critical zero-day, CVE-2026-0300, in the PAN-OS User-ID Authentication Portal (Captive Portal) is being actively exploited to run arbitrary code with root privileges on Internet-facing PA-Series and VM-Series firewalls.

Exploitation is mitigated by restricting access to the User-ID Authentication Portal to trusted internal IPs, following security best practices.

Observed abuse on affected devices is limited; access has been possible from untrusted IPs or the open internet, though such exposure violates security best practices.

Patches are planned in two rounds, with the first release slated for mid-May and a second around the end of May.

Affected PAN-OS versions include 12.1, 11.2, 11.1, and 10.2, with updates rolling out to specific builds on the May 13 and May 28 windows; Prisma Access, Cloud NGFW, and Panorama are not affected.

The vulnerability impacts PA-Series and VM-Series firewalls using the Local User-ID portal, with multiple versions listed and patch timelines aligned to May 13 and May 28.

Specific vulnerable builds range across PAN-OS 12.1, 11.2, 11.1, and 10.2, with protection timelines noted for each release.

CISA’s KEV catalog had not yet added CVE-2026-0300 at the time of reporting.

Advisory urges organizations to limit exposure and prepare for patches while applying access controls in the meantime.

No patch is available yet; security guidance is to secure the portal by restricting access to trusted zones or disabling the portal until a fix is released.

Patches are planned to begin on May 13, 2026, with fixes rolling out subsequently.

Shadowserver tracks over 5,800 PAN-OS VM-series firewalls exposed online, with the bulk in Asia and North America, signaling broad exposure risk.