A joint advisory from ThreatCluster, Ransom-ISAC, Defused, and Detections.ai highlights CVE-2026-0300, a critical out-of-bounds buffer overflow (CWE-787) affecting Palo Alto Networks PA-Series and VM-Series firewalls. Scoring a CVSS 9.3, the flaw targets the USER-ID authentication portal and can give unauthenticated attackers root access. Affected versions include PAN-OS 10.2, 11.1, 11.2, and 12.1, and limited exploitation has already been observed in the education, healthcare, and ISP sectors. Patches aren't expected until May 13 at the earliest, leaving a window of exposure that defenders need to manage now.
If you're running affected PAN-OS versions, the advisory recommends monitoring inbound connections on ports 6080, 6081, and 6082 for anomalous HTTP POST requests — particularly those with oversized content-length headers hitting /php/uid.php. Isolate inbound traffic where possible, use allow lists, and watch for suspicious outbound connections from the firewall itself, which could indicate reverse shell activity. Palo Alto's Threat Prevention Signatures should be updated as soon as new rules are available. Detection rules are also being shared through the Detections.ai ThreatCluster community. Don't wait for the patch — reduce your exposure surface today.