Technical description
A critical buffer overflow vulnerability in the User-ID Authentication Portal (Captive Portal) service of Palo Alto Networks PAN-OS software allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls via specially crafted packets. CISA confirmed active exploitation targeting portals exposed to untrusted IP addresses and the public internet, adding the vulnerability to the Known Exploited Vulnerabilities catalog with a May 9, 2026 remediation deadline for federal agencies.
Attack vector
Unauthenticated remote code execution via crafted packets to User-ID Authentication Portal. No user interaction required. CVSS score of 9.3 if portal is internet-exposed, 8.7 if restricted to trusted networks.
Affected systems
PAN-OS versions 10.2, 11.1, 11.2, and 12.1 on PA-Series and VM-Series firewalls configured with User-ID Authentication Portal enabled. Over 5,800 PAN-OS VM-series firewalls currently exposed online according to Shadowserver scans.
Mitigation
Palo Alto Networks is releasing patches starting May 13, 2026, with full rollout by May 28. Immediate mitigations: restrict User-ID Authentication Portal access to trusted zones only, or disable the portal entirely if not operationally required. A Threat Prevention Signature for PAN-OS 11.1+ was released May 5, 2026.