Palo Alto Networks disclosed CVE-2026-0300 on May 6, 2026. It is an unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal that lets a remote attacker execute code as root. CVSS 9.3. Early exploitation has been observed in the wild and is expected to accelerate. First fixes are landing May 13. A second wave follows on May 28. (Source: Palo Alto Networks Security Advisory)
If you run PA-Series or VM-Series firewalls with a User-ID Authentication Portal reachable from the internet, you have 48 hours to make three decisions. This post is about those three decisions. It is also about a fourth question your leadership is probably going to ask in the same week, which is whether you should still be in the business of running your own firewall stack at all.
A lot of advisories cross your desk. Most of you patch on a normal cycle.
This one has three properties that change the math. First, the attack vector is unauthenticated. No credentials needed, no insider, no phishing kit. Second, the target is the edge appliance that everything else trusts. A compromise on the perimeter device is a compromise of the segmentation it enforces. Third, Mandiant's M-Trends 2026 reported that 28.3 percent of mass-exploited edge vulnerabilities saw exploitation within 24 hours of disclosure. (Source: Help Net Security on CVE-2026-0300)
The window you are in right now, between disclosure and patch availability, is the window attackers price into their tooling.
The advisory says the vulnerability only applies if the User-ID Authentication Portal is configured and reachable from an untrusted zone. That is good news. Many mid-market deployments do not enable the captive portal at all.
Confirm in this order:
If the answer to all three is yes, treat this as a P1. If the answer to question two is no, you still want to verify, because feature drift over years is real. If the answer to question three is no, you are in a much better position.
Your monitoring partner can verify this in minutes. If your firewall and your monitoring sit with different vendors, this is one of the costs of that split.
Palo Alto has published a concrete mitigation you can apply before May 13. Restrict User-ID Authentication Portal access to trusted zones only, and disable Response Pages in the Interface Management Profile on every Layer 3 interface that touches untrusted traffic. (Source: Rapid7 analysis of CVE-2026-0300)
Two things to know about the mitigation. It will likely break SSO-style portal redirects for any remote users who depend on the captive flow. And it will not retroactively help if you have already been compromised, which is why detection has to run in parallel.
If you cannot apply the mitigation tonight, the next-best step is to put a temporary access control list in front of the portal IP that restricts it to known corporate ranges. Crude works.
The fastest way to fall behind is to wait for the patch to be available before you start scheduling the maintenance.
Pick the window now. Notify the business now. Get a change record approved now. When the May 13 build hits, you are pushing it through a pre-approved change rather than starting a 24-hour approval cycle while exploitation is already accelerating.
For multi-site clients, sequencing matters. Patch the most exposed device first, then your data center cluster, then branch and remote sites in tiers. If your HA pair is on different code trains, that is a separate conversation, but do not let the discovery happen at 2 a.m. on the night of the change.
Some of your executives are watching the cadence of edge advisories and asking a different question. They are not asking which patch. They are asking whether the company should still be running on-prem next-gen firewalls at all.
That is a fair question and worth a separate, slower conversation. The honest answer is that platform choice should not be driven by a single CVE. The honest follow-up is that an architecture where User-ID, identity, segmentation, and inspection live inside a single cloud-delivered fabric reduces the number of times your team has to absorb a 48-hour scramble like this one.
Cato Networks' SASE platform is one answer to that architecture question, and the reason we have multiple mid-market clients in active Cato design or expansion conversations this week. It does not eliminate vulnerabilities. It does change which team owns the patch window.
If you are mapping out a 24-month plan to consolidate firewall, ZTNA, secure web gateway, and SD-WAN into one fabric, this advisory is a data point, not a deciding vote. If you are not yet on that plan, this advisory is a reason to put one on the calendar.
By Friday afternoon, you should know three things: which of your firewalls are affected, that the interim mitigation is applied or that exposure is otherwise contained, and that a patch window is scheduled before May 28.
If your team is small and this is one of three fires, that is exactly when Matrix Concierge can absorb the patch coordination, change documentation, and post-patch validation so your one-or-two-person IT team is not the bottleneck. And if you have already decided the firewall stack is not where your strategic time should go, our SASE design practice can show you what a Cato-backed cutover looks like without the marketing slides.
Sources: