heise PlusAbo

PAN-OS vulnerability being exploited, updates planned in weeks

Palo Alto Networks warns of an already exploited critical security vulnerability in PAN-OS. Updates are not expected until mid-May.

listen Print view
Palo Alto Networks logo and sign at Silicon Valley headquarters campus of cybersecurity company under blue sky

(Image: Michael Vi/Shutterstock.com)

3 min. read
Security
By

Palo Alto Networks is warning of a security vulnerability in the PAN-OS operating system. It has been rated “critical” and is already being exploited on the internet. The first updates are not expected for at least a week. However, Palo Alto has outlined temporary countermeasures that admins should urgently implement.

In its security advisory, Palo Alto states that a buffer overflow in the User-ID authentication portal (also known as the captive portal) allows unauthenticated attackers to push and execute arbitrary code with root privileges on PA-series and VM-series firewalls using carefully crafted packets (CVE-2026-0300, CVSS4 9.3, risk “critical”). To exploit the vulnerability, the User-ID authentication portal must be configured in PAN-OS. By default, this is not the case.

This is already part of the proposed temporary countermeasures: simply disable the captive portal. If this is not possible, IT managers should restrict access to the portal to trusted zones. This access restriction, for example, to internal IPs, lowers the CVSS4 score to 8.7, thus reducing the risk to “high.”

Affected Software Versions

PAN-OS 12.1, 11.2, 11.1, and 10.2 are affected. Updates to 12.1.4-h5 (May 13th), 12.1.7 (May 28th), 11.2.4-h17 (May 28th), 11.2.7-h13 (May 13th), 11.2.10-h6 (May 13th), 11.2.12 (May 28th), 11.1.4-h33 (May 13th), 11.1.6-h32 (May 13th), 11.1.7-h6 (May 28th), 11.1.10-h25 (May 13th), 11.1.13-h5 (May 13th), 11.1.15 (May 28th), 10.2.7-h34 (May 28th), 10.2.10-h36 (May 13th), 10.2.13-h21 (May 28th), 10.2.16-h7 (May 28th), and 10.2.18-h6 (May 13th) or newer versions will fix the vulnerability. The dates in parentheses are the planned release dates according to Palo Alto Networks. Cloud NGFW, Prisma Access, and Panorama appliances are not affected, the manufacturer assures.

Videos by heise

Palo Alto also writes that the company has observed limited exploitation of the vulnerability in the User-ID authentication portal. On affected devices, access from untrusted IP addresses and sometimes from the open internet was possible. However, this configuration is contrary to security best practices, Palo Alto adds.

In January, vulnerabilities in Palo Alto's firewalls became known, through which attackers could force the appliances into maintenance mode, apparently bypassing firewall protection.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten