About:
CVE-2026-20188 is a denial of service vulnerability affecting Cisco Network Services Orchestrator (NSO) caused by insufficient rate limiting of incoming connections.
An unauthenticated remote attacker can exploit this vulnerability by sending crafted or excessive traffic to affected systems. Successful exploitation may cause orchestration services to become unresponsive, potentially requiring manual recovery or restart procedures to restore operations.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Unauthenticated Remote Code Execution Vulnerability in PAN-OS User-ID Authentication Portal
Identifier: CVE-2026-0300
CVSS Score: 9.3 (Critical, CVSS v4.0)
PoC or Exploitation:
Palo Alto Networks confirms that this vulnerability is actively exploited in the wild.
Update/ Patch:
Palo Alto Networks has released fixes for this vulnerability.
Affected versions include:
- PAN-OS 12.1 versions earlier than 12.1.4-h5 and earlier than 12.1.7
- PAN-OS 11.2 versions earlier than 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
- PAN-OS 11.1 versions earlier than 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
- PAN-OS 10.2 versions earlier than 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
Fixed versions include:
- PAN-OS 12.1.4-h5 and later; PAN-OS 12.1.7 and later
- PAN-OS 11.2.4-h17 and later; 11.2.7-h13 and later; 11.2.10-h6 and later; 11.2.12 and later
- PAN-OS 11.1.4-h33 and later; 11.1.6-h32 and later; 11.1.7-h6 and later; 11.1.10-h25 and later; 11.1.13-h5 and later; 11.1.15 and later
- PAN-OS 10.2.7-h34 and later; 10.2.10-h36 and later; 10.2.13-h21 and later; 10.2.16-h7 and later; 10.2.18-h6 and later
Not affected:
- Prisma Access
- Cloud NGFW
- Panorama appliances
Palo Alto Networks advisory and patch guidance:
Description:
CVE-2026-0300 is a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal caused by an out-of-bounds write condition.
An attacker can exploit this vulnerability remotely without authentication by sending crafted requests to exposed User-ID Authentication Portal instances. Successful exploitation may allow remote code execution on the firewall.
The vulnerability specifically impacts PA-Series and VM-Series firewalls configured with User-ID Authentication Portal, also known as Captive Portal.
Mitigation Recommendation:
Immediately upgrade affected PAN-OS devices to the fixed versions provided by Palo Alto Networks.
Prioritize patching internet-facing firewalls and systems exposing User-ID Authentication Portal functionality.
Limit access of User-ID Authentication Portal interfaces to trusted networks where operationally feasible.
Review firewall logs for suspicious requests targeting Captive Portal or User-ID Authentication Portal services.
Conduct threat hunting and forensic review on exposed systems, especially where exposure existed prior to patching.