Free practical cybersecurity guidance for organisations without a security team.
[email protected]
Actions On Cyber logo
Contact
← Back to Daily Int Briefs

Daily Int Brief: Critical Palo Alto firewall vulnerability

What small organisations should ask their IT provider today.

Relevance rating: Act Now
This is most urgent for organisations using Palo Alto PAN-OS directly or through an IT provider.

Executive Summary

A critical Palo Alto Networks PAN-OS vulnerability, CVE-2026-0300, is being actively exploited against exposed User-ID Authentication Portals. This will not affect every small organisation, but it is serious for any organisation using Palo Alto firewalls directly or through an IT provider. The practical action today is simple: find out whether you use Palo Alto PAN-OS, whether the affected portal is exposed to the internet, and whether mitigations or patches are in place.

Situation

Palo Alto Networks has published an advisory for CVE-2026-0300, a buffer overflow vulnerability in the User-ID Authentication Portal, also known as Captive Portal, in PAN-OS. The advisory says exploitation has been observed and the vulnerability could allow an unauthenticated attacker to execute code with root privileges on affected PA-Series and VM-Series firewalls. Palo Alto also says the risk is greatly reduced where access to the portal is restricted to trusted internal IP addresses, and that Prisma Access, Cloud NGFW and Panorama appliances are not impacted.

Who should care

  • Small organisations that use Palo Alto firewalls.
  • Organisations that outsource firewall or network management to an IT provider or MSP.
  • Organisations with remote access, firewall portals or authentication services exposed to the internet.
  • Organisations that do not know what firewall technology protects them.

Why it matters

Firewalls are high-value security devices. If an internet-facing firewall portal is vulnerable and actively exploited, it may give attackers a route into systems that the organisation assumes are protected.

Actions On

  1. Ask your IT provider whether you use Palo Alto PAN-OS anywhere.
  2. Ask whether the User-ID Authentication Portal / Captive Portal is enabled.
  3. Ask whether any affected portal is exposed to the internet or untrusted IP addresses.
  4. Ask whether access has been restricted to trusted internal IP addresses.
  5. Ask whether the vendor advisory has been checked against your exact PAN-OS versions.
  6. Ask when patches or mitigations will be applied.
  7. Record the answer in your Cyber Stand-To log.
  8. If the answer is unclear, escalate to the business owner, trustee, director or senior manager responsible for IT risk.

Question to ask your IT provider

“Do we use Palo Alto PAN-OS anywhere, and if so, is the User-ID Authentication Portal exposed to the internet? Has CVE-2026-0300 been mitigated or patched?”

After-action review

  • Do we know which firewall protects our organisation?
  • Do we know who is responsible for firewall patching?
  • Do we have a list of internet-facing systems?
  • Can our IT provider confirm urgent vulnerability actions quickly?
  • Is this type of issue covered in our incident response plan?

Sources

LinkedIn post draft

Daily Int Brief — Actions On Cyber

A critical Palo Alto Networks PAN-OS vulnerability, CVE-2026-0300, is being actively exploited against exposed User-ID Authentication Portals.

Small organisations do not need the exploit details. They need one clear question for their IT provider:

“Do we use Palo Alto PAN-OS anywhere, and if so, is the User-ID Authentication Portal exposed to the internet? Has CVE-2026-0300 been mitigated or patched?”

No jargon. No panic. Just actions on.