The flaw only impacts PAN-OS deployments where User-ID Authentication Portal is enabled. Affected versions span multiple PAN-OS release branches, including 10.2,11.1, and 12.1 releases prior to patched builds scheduled for rollout in May.
Wiz researcher Merav Bar said the Google-owned research firm found a total 7% of environments having publicly exposed PAN-OS instances. However, how many of them have the affected portal enabled is not known. “Since this portal utilizes ports 6081 and 6082, the exposure of these specific ports is the primary metric for exploitability,” she added in a blog post. “Currently, Shodan identifies 67 exposed PAN-OS servers on port 6081, with none detected on port 6082.”
The vulnerability has also attracted government attention. The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0300 to its known Exploited Vulnerabilities (KEV) catalog shortly after the disclosure, while multiple national cybersecurity agencies warned organizations to assume further exploitation is likely.
