On 6 May 2026, Palo Alto Networks confirmed that CVE-2026-0300 — a buffer overflow in the User-ID Authentication Portal component of PAN-OS — is being actively exploited in the wild. The vulnerability carries a CVSS score of 9.3 and enables an unauthenticated remote attacker to achieve root-level remote code execution on internet-exposed PAN-OS devices. CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities catalogue on 7 May with a federal agency patch deadline of 21 May. Swiss organisations are not bound by that deadline. They are, however, bound by the same threat: perimeter firewalls across the Swiss financial, healthcare, and industrial sectors are running affected PAN-OS versions right now.
The Technical Breakdown
CVE-2026-0300 is a stack-based buffer overflow (CWE-121) in PAN-OS's handling of packets arriving at the User-ID Authentication Portal interface, a feature that maps IP addresses to user identities to enable identity-based policy enforcement. When the User-ID Authentication Portal is enabled and internet-reachable, an attacker can send a crafted packet that overflows the stack buffer, overwrites the return address, and redirects execution to attacker-controlled shellcode running as root on the management plane.
Affected versions span a wide range of currently-deployed PAN-OS releases: 10.2.0 through 10.2.9, 11.0.0 through 11.0.4, 11.1.0 through 11.1.3, and 11.2.0 through 11.2.1. Palo Alto Networks has released hotfix builds for each affected branch. The interim mitigation for organisations unable to patch immediately is to restrict User-ID Authentication Portal access to trusted internal subnets only via zone-based access control rules, eliminating internet exposure of the vulnerable service without requiring a full feature disable. Disabling the User-ID portal entirely is also valid but degrades identity-based policy enforcement in environments where this feature underpins access controls.
Swiss Exposure Profile
PAN-OS is among the most widely deployed perimeter firewall platforms in the Swiss enterprise and financial sector. Palo Alto Networks holds a leading position in Swiss banking, insurance, pharmaceutical manufacturing, healthcare, and cantonal government networks. The attack surface for CVE-2026-0300 is any internet-facing PAN-OS device with the User-ID Authentication Portal accessible from untrusted networks, a configuration that is common in organisations using GlobalProtect for remote access authentication.
The risk concentrates in organisations that expanded GlobalProtect deployments during 2020–2022 to support remote work, configured captive portal flows for BYOD onboarding, or built split-tunnel architectures requiring the User-ID portal to be reachable from employee home networks. In many of those deployments, the portal interface was deliberately exposed to the internet. That exposure was never reviewed once the emergency expansion of remote access subsided. It is now a direct unauthenticated path to root on the perimeter firewall.
Swiss SMEs are disproportionately at risk. Large enterprises with dedicated security operations tend to have more systematic exposure management; SMEs relying on managed firewall services from MSPs may not have confirmed visibility into whether their User-ID portal is internet-reachable. If you do not know the answer, that audit is the first action item.
What Root Access on PAN-OS Means in Practice
A root-level compromise of PAN-OS translates directly into control of the security infrastructure protecting every system behind it. From a compromised device, an attacker can inspect or modify all traffic traversing the firewall, including sessions where the device performs SSL decryption. They access stored credentials, certificates, and policy configurations held in PAN-OS. They can modify firewall rules to open inbound access paths that persist across reboots. And they hold a trusted network position from which lateral movement into internal segments proceeds without passing through additional security controls.
Palo Alto Networks Unit 42 threat intelligence has linked observed exploitation activity to actors consistent with initial access broker profiles, threat actors who compromise infrastructure and sell that access to ransomware operators or nation-state groups. A compromised PAN-OS perimeter device in a Swiss bank or healthcare network is a high-value asset in that market. The exploitation timeline mirrors the Cisco FMC zero-day in March and the Fortinet FortiClient EMS compromise in April: active exploitation confirmed within days of public disclosure, before most affected organisations complete their patching cycle.
◆ Key Takeaway
CVE-2026-0300 was confirmed actively exploited before most Swiss enterprises completed their initial exposure assessment. Root-level access to PAN-OS gives attackers authority over the device protecting every system behind it: the ability to inspect encrypted traffic, modify access rules, and pivot internally. Palo Alto has released patches for all affected branches. There is no defensible risk acceptance posture for an unmitigated, internet-exposed PAN-OS instance running an affected version.
ISA and FINMA Reporting Obligations
Swiss critical infrastructure operators subject to mandatory incident reporting under the Information Security Act must assess whether a confirmed compromise of their PAN-OS device is reportable. The ISA requires notification to BACS (the Federal Office for Cybersecurity) within 24 hours of discovering a significant incident. A root-level compromise of a perimeter device protecting critical financial or healthcare systems meets the significance threshold without ambiguity.
FINMA-supervised institutions face the parallel obligation to notify FINMA within 24 hours of incident detection under FINMA Circular 2023/1 on operational resilience. The circular covers events that compromise the confidentiality or integrity of systems essential to critical business processes. A compromised perimeter firewall handling authentication for banking infrastructure satisfies both conditions. Institutions uncertain about the reporting threshold should err toward disclosure — both BACS and FINMA accept pre-notification consultations in ambiguous cases, and notifying without strict obligation carries no penalty.
- Inventory all PAN-OS and Panorama instances and confirm which version each runs — apply the fixed hotfix for your branch without waiting for a scheduled maintenance window.
- If patching cannot occur within 12 hours, restrict User-ID Authentication Portal access to trusted subnets only using zone-based access control rules — this eliminates the attack surface while patching is in progress.
- Enable Palo Alto Threat Prevention signatures for CVE-2026-0300 if your subscription is active — this provides detection coverage independently of patch status.
- Review firewall authentication and session logs from 1 May onward for anomalous connections to the User-ID portal interface from untrusted source IPs.
- If any indicators of compromise are found, treat the device as a full incident: isolate it, forensically image the configuration and logs, rebuild from a known-good baseline, and rotate all credentials stored in PAN-OS configuration.
- Audit all GlobalProtect deployments for unnecessary internet exposure of the captive portal — remove any exposure that is not operationally required, regardless of patch status.
- Assess ISA, FINMA Circular 2023/1, and — for DORA-scope entities — EU supervisory notification obligations before concluding that no report is required.
CVE-2026-0300 is the third critical management-plane zero-day in a Swiss-relevant perimeter product confirmed as actively exploited in fewer than ten weeks: Cisco FMC in March, Fortinet FortiClient EMS in April, PAN-OS now. The vulnerability type changes with each disclosure. The attacker logic — compromise the device that controls access to everything else — does not. Swiss CISOs who have not yet established a sub-24-hour response SLA for actively exploited perimeter vulnerabilities should make that change before the next advisory arrives.