Palo Alto Networks warned customers today that a critical unpatched vulnerability in the PAN-OS User-ID Authentication Portal is being exploited in attacks.
Also known as the Hostage Portal, the User ID Authentication Portal is a PAN-OS security feature that authenticates users whose identities cannot be automatically mapped by the firewall.
Tracked as CVE-2026-0300, this zero-day bug originates from a buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series Internet and VM-Series firewalls via specially crafted packets.
“Limited exploits have been identified targeting Palo Alto Networks User-ID™ Authentication Portals exposed to untrusted IP addresses and/or the public Internet,” Palo Alto Networks said in an advisory Wednesday.
“Customers follow security best practices, such as restricting sensitive portals to trusted internal networks with greatly reduced risk.”
Currently, cyber threat dog Shadowserver is tracking more than 5,800 PAN-OS VM exploits exposed on the Internet, most of them in Asia (2,466) and North America (1,998).
The company has also flagged the vulnerability as the highest possible severity and says administrators can quickly check that their firewalls are configured to use the vulnerable service from the User ID Authentication Portal Settings page, located under Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal.
Palo Alto Networks is still working to address zero-day, and until a patch is available, it “strongly” recommends that customers secure the User ID Verification Portal by restricting access to only trusted sites or disabling the portal if that is not possible.
PAN-OS firewalls were often targeted for attacks, often using zero-day security vulnerabilities. For example, in November 2024, Shadowserver revealed that thousands of firewalls were at risk (although the company said the attack affected “a very small number”) in an attack that tied two days of PAN-OS firewall zero.
One month later, Palo Alto Networks warned that hackers are using another PAN-OS DoS flaw to target PA-Series, VM-Series, and CN-Series firewalls, forcing them to reboot and disable firewall protections. Soon after, in February, attackers switched to exploiting three more PAN-OS flaws to compromise Palo Alto Networks firewalls with Internet-facing management links.
Palo Alto Networks says its products and services are used by more than 70,000 customers worldwide, including 90% of Fortune 10 companies and major US banks.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
Find Your Place
![‘Daredevil: Born Again’ Season 2 Finale Explained: [Spoiler]’s Cameo and MCU Predictions](https://www.cnet.com/a/img/resize/1433d31203fa93e2d757f171a88b2addca52d812/hub/2026/05/05/bce858bc-c40b-443d-a12d-b02785c6f311/marvel-daredevil-born-again-s2-1.jpg?auto=webp&fit=crop&height=675&width=1200 "‘Daredevil: Born Again’ Season 2 Finale Explained: [Spoiler]’s Cameo and MCU Predictions")