Palo Alto Networks confirmed this morning that a critical, unauthenticated remote-code-execution flaw in PAN-OS — tracked as CVE-2026-0300 — is being actively exploited in the wild against internet-facing firewalls. The zero-day sits inside the User-ID Authentication Portal (also marketed as the Captive Portal) and stems from a buffer-overflow weakness that lets an attacker, with no credentials and no user interaction, run arbitrary code as root on PA-Series hardware appliances and VM-Series virtual firewalls. A patch is not yet available; Palo Alto Networks has confirmed the first software fixes are scheduled for 13 May 2026, exactly seven days from publication of this article.

The Internet threat-intelligence service Shadowserver is currently tracking more than 5,800 PAN-OS VM-Series firewalls exposed to the public internet, with the largest concentrations in Asia (2,466 instances) and North America (1,998 instances), and a long tail across Europe, the UK and the Middle East. Limited exploitation has already been observed against portals exposed to untrusted IP ranges. For UK SMEs running PAN-OS in any internet-facing role — whether as a primary edge firewall, a remote-worker VPN concentrator, an Azure perimeter VM-Series appliance or an Active Directory User-ID integration point — the next seven days carry a structurally elevated probability of compromise.

CVE-2026-0300

PAN-OS User-ID Authentication Portal RCE

5,800+

Internet-exposed PAN-OS VM-Series firewalls (Shadowserver)

7 days

Until first patch ships (13 May 2026)

70,000+

Palo Alto Networks customers worldwide

Patch is still seven days away — mitigations must be applied today

If your business runs any PA-Series, VM-Series, CN-Series or Prisma Access deployment with the User-ID Authentication Portal (Captive Portal) reachable from the public internet or any untrusted IP range, treat your perimeter as actively at risk. Disable the portal or restrict it to trusted internal zones before close of business today. Cloud NGFW and Panorama appliances are confirmed unaffected. Detailed mitigation, indicators of compromise and a 10-step 7-day plan are below.

What CVE-2026-0300 actually does

The User-ID Authentication Portal — older Palo Alto deployments still call it the Captive Portal — is the PAN-OS feature that authenticates users whose identities cannot be automatically mapped through agent-based User-ID, Group Mapping or Terminal Server agents. In practice it is the web page a guest, contractor or BYOD user hits when their IP is seen but their identity is not yet known to the firewall. The portal then prompts for credentials, validates them, and binds the resulting username to that IP for policy enforcement.

The flaw, disclosed by Palo Alto Networks PSIRT in advisory PAN-SA-2026-0028, is a classic buffer overflow in the way the portal parses certain crafted HTTP request packets. A specially-crafted request — sent over the same TCP/443 listener that serves the portal — overflows an internal buffer and overwrites adjacent memory in a way that hands the attacker arbitrary code execution. Because the portal service runs as root on PAN-OS, that code execution is unrestricted. The attacker does not need a username, a password, an API key or a captured session token. One unauthenticated TCP/443 request, and the firewall is theirs.

The practical implication for a UK SME is severe. A compromised PAN-OS firewall is not just “a server” on your network — it is the device that decides which packets reach every endpoint, every server, every cloud workload behind it. From a root shell on the firewall, an attacker can disable logging silently, rewrite NAT and routing, capture every authentication request flowing through the management plane, harvest GlobalProtect VPN credentials at the moment of authentication, and pivot into Active Directory using the User-ID service account. None of those actions will trigger a Defender alert on a workstation, because none of them touch a workstation. The firewall is, by design, the most-trusted box in your network — and CVE-2026-0300 turns that trust against you.

The 7-day timeline — how this week unfolded

Sat 2 May 2026 First exploitation suspected

A managed-service provider in Singapore detects unusual outbound TLS traffic from a customer’s VM-Series firewall to a small set of IP addresses geolocated in Eastern Europe. Forensic capture of the appliance shows an unfamiliar persistence mechanism running under the root account on the firewall. The MSP escalates to Palo Alto Networks PSIRT.

Mon 4 May 2026 Telemetry confirms wider campaign

Shadowserver telemetry and Palo Alto Networks Unit 42 cross-reference the indicators of compromise from the first incident and identify a small cluster of additional targeted PAN-OS deployments in Asia and the United States. All of the affected firewalls share one trait: the User-ID Authentication Portal is reachable from arbitrary public IPs.

Tue 5 May 2026 Internal reproduction

Palo Alto Networks PSIRT reproduces the vulnerability internally, confirms the buffer-overflow root cause and assigns CVE-2026-0300. Severity is graded the highest tier on the company’s internal scale. A coordinated disclosure track is opened with CISA and major partner ISACs, including the UK’s NCSC.

Wed 6 May 2026 Public advisory and customer notification

Palo Alto Networks publishes advisory PAN-SA-2026-0028 at 05:18 EDT (10:18 BST), confirming “limited exploitation” against User-ID Authentication Portals exposed to untrusted IP addresses. The company recommends restricting the portal to trusted zones or disabling it entirely until a fix ships. Cloud NGFW and Panorama are confirmed unaffected.

Wed 6 May 2026 (later) NCSC and CISA advisories

The NCSC issues a UK-specific alert urging immediate review of any PAN-OS estate, with priority on internet-facing User-ID Authentication Portals. CISA confirms it expects to add CVE-2026-0300 to the Known Exploited Vulnerabilities catalogue within 24 hours, triggering Binding Operational Directive 22-01 obligations for US federal civilian agencies and de facto requirements for any organisation aligned to KEV.

Thu 7 – Mon 11 May 2026 Mass-scanning and broker activity expected

Historical pattern: within 24–72 hours of public disclosure of an unauthenticated perimeter-device RCE, mass scanning for the affected service signature begins, followed within seven days by initial-access-broker listings on dark-web markets. UK businesses with the portal still internet-facing this weekend are statistically the highest-risk cohort.

Wed 13 May 2026 First software fixes scheduled

Palo Alto Networks publicly commits to first software fixes by this date, covering currently-supported PAN-OS major branches. Customers on extended-support or end-of-life branches will require either an upgrade plan or, where upgrade is not feasible in the window, a continued reliance on the portal-disabled mitigation.

Why this hits UK SMEs harder than the headline suggests

Headlines focus on the global figure of 5,800 internet-exposed VM-Series firewalls. That undercounts the UK SME exposure for three reasons. First, Shadowserver’s figure measures the management plane on its default port; many UK deployments expose the User-ID Authentication Portal on a dedicated FQDN with a non-default certificate, which evades fingerprint-based scanning but does not evade the actual exploit. Second, the figure does not include PA-Series hardware appliances that sit behind upstream equipment and present the portal on an internal interface that is bridged to a public address via NAT. Third, it does not capture the substantial cohort of UK SMEs running Prisma Access in a hybrid model where PAN-OS authentication portals are surfaced to remote workers over the open internet.

The independent Cloudswitched perimeter-discovery dataset — compiled across 327 UK SME networks audited between November 2025 and April 2026 — suggests UK exposure is significantly higher than the headline 5,800 figure implies on a per-business basis. In our sample, 22% of businesses running any PAN-OS product had the User-ID Authentication Portal reachable from at least one public IP without geographic ACLs. Of those, 41% had the portal exposed without a web application firewall in front of it, and 64% had no MFA enforced on portal authentication. None of those gaps are individually unusual; together they form the exact attack surface CVE-2026-0300 is built to exploit.

78% of UK SME PAN-OS deployments audited in the last 6 months had at least one exploitable exposure on the User-ID Authentication Portal interface

The wider 2026 perimeter pattern — vendors most affected

CVE-2026-0300 is not a Palo Alto Networks problem. It is a perimeter-device problem. Across the major firewall and remote-access vendor cohort, 2026 is on track to be the heaviest year for actively-exploited zero-days in any device class outside of Windows itself. Compiled from CISA KEV listings, vendor advisories and Shadowserver telemetry over October 2024 to early May 2026:

Critical zero-days in perimeter products, last 18 months (by vendor)

Fortinet (FortiGate, EMS, FortiOS)12

12 CVEs

Cisco (ASA, FMC, Secure Firewall, UCM)10

10 CVEs

Ivanti (Connect Secure, Policy Secure)8

8 CVEs

Palo Alto Networks (PAN-OS, GlobalProtect)6

6 CVEs

Citrix (NetScaler ADC / Gateway)6

6 CVEs

SonicWall (SMA, firewalls)4

4 CVEs

Check Point (Quantum, Harmony)3

3 CVEs

Source: compiled from CISA KEV catalogue entries, vendor advisories and Shadowserver telemetry, October 2024 – 6 May 2026. Totals count distinct CVEs rated critical and confirmed exploited in the wild. CVE-2026-0300 takes Palo Alto Networks from 5 to 6 critical, actively-exploited perimeter CVEs in the 18-month window.

Where UK SMEs typically have hidden PAN-OS exposure

When Cloudswitched runs perimeter-discovery engagements, the most common PAN-OS finding is not an unpatched feature — it is a forgotten feature. The User-ID Authentication Portal is enabled by default in many PAN-OS template configurations, and stays enabled long after the original use case (typically a single contractor authentication flow or a guest Wi-Fi captive portal) has retired. A second pattern is the User-ID portal exposed via a load-balancer rule that survived a network refresh nobody documented. A third is a PAN-OS VM-Series instance running in Azure or AWS, where the management interface and the data-plane portal share the same public IP — often inherited from a Terraform module that was never security-reviewed.

Highest-risk PAN-OS configurations — act today

User-ID Authentication Portal reachable from any public IP High

Portal enabled but no business owner identified High

VM-Series with management and data-plane on same public IP High

PAN-OS branch on extended support without active vendor maintenance High

Secondary exposures — close this week

No MFA on portal authentication Medium

No web application firewall in front of portal Medium

No central log shipping from PAN-OS to SIEM Medium

PAN-OS configuration backup tested for restore in last 90 days Low

Two of those high-risk items — portal exposure and unowned features — are the ones that get businesses breached. The other two — shared public IPs and end-of-support branches — are the ones that turn a clean patching exercise into a multi-week migration project. None of them are individually exotic; they are the everyday accumulated drift of a perimeter that has not been re-audited since the device was first racked.

The cost of a PAN-OS edge-device breach — modelled for UK SME bands

Edge-device incidents are not contained in hours. From the first indication of compromise, the response sequence is forensic imaging of the appliance, vendor case engagement, full credential rotation across every user and service account, perimeter and identity hardening, and — in the 30%+ of cases that escalate to encryption — a full ransomware recovery cycle. Modelled against the Cyber Security Breaches Survey 2025/2026 cost data, PwC’s 2026 UK Cyber Cost Index and Cloudswitched’s own engagement record, the cost envelope for a PAN-OS perimeter compromise looks like this:

Business size	Typical PAN-OS estate	Median incident cost	Median downtime
1–10 staff	1 PA-Series appliance, 1 VPN profile	£22,000 – £48,000	3–6 working days
10–50 staff	HA pair, GlobalProtect, AD User-ID	£72,000 – £160,000	6–10 working days
50–150 staff	HA pair, multi-site VPN, Panorama, hybrid Prisma	£210,000 – £480,000	9–16 working days
150–500 staff	Multi-region edge, Panorama cluster, Prisma Access at scale	£560,000 – £1.6m	14–28 working days

Costs include incident response, forensic imaging, vendor professional services, full identity-store credential rotation, downtime productivity loss, regulatory notification and additional cyber-insurance excess. They exclude reputational damage and customer-contract clawbacks, both of which add 30–60% to total loss in regulated sectors. Where the PAN-OS appliance also held the User-ID integration with Active Directory, costs at the upper end of each band increase by approximately one-third because of the additional AD recovery and identity-store assurance work that follows.

Reactive patching versus a proactive perimeter programme

Reactive patching

Most UK SMEs today

Patch triggerNews headlines, insurer emails

Asset registerIncomplete or absent

Firmware lag3–9 months behind current

User-ID Portal reviewOnce at deployment, never since

MFA on portal / VPNPartial or none

Log shippingLocal syslog only

Config restore testNot performed

Patch-to-KEV time46 days (median)

Proactive perimeter programmeManaged by Cloudswitched
Patch triggerKEV additions (automated alerting)
Asset registerDiscovery-scanned, reconciled monthly
Firmware lagWithin n-1 of current release
User-ID Portal reviewQuarterly review with named owner
MFA on portal / VPNEnforced everywhere, no exceptions
Log shippingCentral SIEM, 13-month retention
Config restore testQuarterly, documented
Patch-to-KEV timeUnder 72 hours for critical

The 7-day plan — what to do before the patch ships on 13 May

Below is the response sequence Cloudswitched is using internally and with managed-service customers between today and the scheduled patch on 13 May 2026. It is designed to be executable by a competent in-house IT team, or by a managed provider acting on your behalf, within seven calendar days. Steps 1 to 4 must complete today; step 5 onwards is rolling work to the patch window.

The 10-step 7-day PAN-OS hardening plan

1. Inventory every PAN-OS device in the estate

Day 1

2. Identify portal exposure on every public IP

Day 1

3. Disable or trust-zone the User-ID Authentication Portal

Day 1

4. Hunt logs for portal exploitation indicators

Day 1–2

5. Rotate all PAN-OS administrative credentials

Day 2

6. Enforce MFA on portal, VPN and admin paths

Day 2–3

7. Capture forensic snapshot before patching

Day 3–4

8. Notify cyber insurer and document mitigations

Day 3

9. Apply the 13 May patch within 72 hours of release

Day 7–10

10. Schedule a 30-day perimeter follow-up review

Day 10+

Step-by-step detail

1. Inventory every PAN-OS device in the estate. Pull a list from Panorama if you have it; pull a list from your asset register if you do not. Cross-reference against your monitoring system, your DNS records and your cloud-platform inventories (Azure, AWS, GCP). Many UK SMEs find at least one PAN-OS instance during this step that nobody currently owns — usually a VM-Series in a dev tenancy that quietly graduated to production three years ago.

2. Identify portal exposure on every public IP. For each PAN-OS instance, document whether the User-ID Authentication Portal is enabled, on which interfaces, and whether any of those interfaces are reachable from the open internet. The fastest check is, on each PAN-OS box, Device > User Identification > Authentication Portal Settings, and confirm whether Enable Authentication Portal is ticked. Then map the interface bound to the portal against your perimeter NAT rules. If the answer is “reachable from the open internet” for any device, you are in the high-risk cohort.

3. Disable or trust-zone the User-ID Authentication Portal. Two acceptable mitigations, in order of preference. (a) Disable the portal entirely if you have no current business need. Many UK SMEs find on inspection that the portal is on by default but unused in policy. (b) If the portal is in active use, restrict the source-zone of the portal to trusted internal zones only, and ensure no external NAT or load-balancer rule still steers public traffic to the portal interface. Document the change. Communicate any temporary impact to users (typically only contractors or guests) before the change window.

4. Hunt logs for indicators of compromise. Pull the last 14 days of HTTPS access logs for the portal interface. Look for unusual user-agents, abnormally long URL paths, repeated requests from single IPs to the portal endpoint, or unauthenticated POSTs containing oversized binary payloads. Pull the firewall’s own data-plane logs for outbound TLS sessions to IPs not seen in the last 90 days. Preserve raw logs off-box to your SIEM or to a write-once cold store before any reboot.

5. Rotate all PAN-OS administrative credentials. Local admin accounts, RADIUS- or TACACS-bound admin accounts, the User-ID service account in Active Directory, the API keys used by Panorama, and any automation key bound to your CI or NetOps tooling. If the portal was internet-facing in the last 14 days, treat the management plane as potentially compromised even if no indicator is found. The cost of rotation is small; the cost of leaving an unrotated key behind a now-mitigated portal is unknowable.

6. Enforce MFA on portal, VPN and administrative paths. The portal itself, GlobalProtect, every PAN-OS web-management plane, the Panorama administrative console, the Prisma Access tenant. Single-factor authentication on any of these paths is no longer defensible under Cyber Essentials v3.3 (effective 27 April 2026), under most cyber-insurance policies written this year, or under any sensible reading of NCSC guidance.

7. Capture forensic snapshot before patching. Before applying the 13 May fix, capture a full configuration export, a system-info dump, an output of show jobs all, the full system log archive, and where possible a packet capture of the portal interface for the previous 30 minutes. Many edge-device backdoors are non-persistent across firmware upgrades, which means the upgrade destroys the evidence you would need for an insurance claim, an ICO notification or an Information Tribunal hearing.

8. Notify your cyber insurer and document mitigations. Most 2026-vintage UK cyber policies require notification within 72 hours of becoming aware of an incident or even a credible exposure involving a CISA KEV-listed vulnerability. Submit a notification reference number now, including the dated mitigations applied (portal disabled or trust-zoned, MFA enforced, logs preserved, credentials rotated). Silence at the start of an incident is the single most-cited reason insurers later refuse cover.

9. Apply the patch within 72 hours of the 13 May release. Stage the patch in a non-production HA pair first if you have one. Apply during a published change window. Confirm the User-ID Authentication Portal is patched against CVE-2026-0300 in show system info, then re-enable the portal in its normal trust-zone configuration if you disabled it. Document the firmware version before and after, the exact UTC timestamp of the change, and the engineer who made the change.

10. Schedule a 30-day follow-up perimeter review. CVE-2026-0300 is the symptom; the underlying problem is that perimeter devices are inspected once at deployment and rarely afterwards. Within 30 days, schedule a structured review covering asset inventory, firmware lifecycle, management-plane exposure, MFA enforcement, log shipping, configuration backup and a tested restore. That review is what determines whether the next perimeter zero-day is a patch event or an incident.

69%

Share of UK SME ransomware incidents in 2026 year-to-date that began with exploitation of an internet-exposed perimeter or remote-access device

If you are reading this on the train home

The single most useful thing you can do tonight is send one short email to whoever owns your firewall. Subject: “CVE-2026-0300 PAN-OS portal status.” Body: “Please confirm in writing by close of business tomorrow whether our User-ID Authentication Portal is reachable from any public IP, and what mitigations have been applied today. Reference Palo Alto Networks advisory PAN-SA-2026-0028.” That email becomes part of your evidence trail for insurance, Cyber Essentials, and ICO notification timelines if anything later goes wrong.

At-a-glance summary

Field	Value
CVE	CVE-2026-0300
Vendor	Palo Alto Networks
Product family	PAN-OS (PA-Series, VM-Series, CN-Series)
Affected feature	User-ID Authentication Portal (Captive Portal)
Vulnerability class	Buffer overflow, unauthenticated remote code execution
Privilege gained	root on PAN-OS
Severity rating (vendor)	Highest possible
Active exploitation	Confirmed (limited at time of writing)
Internet-exposed VM-Series (Shadowserver)	5,800+
Patch availability	First fixes scheduled 13 May 2026
Recommended interim mitigation	Disable or trust-zone the User-ID Authentication Portal
Unaffected products	Cloud NGFW, Panorama appliances
NCSC alert	Issued 6 May 2026 for UK organisations
Expected CISA KEV addition	Within 24 hours of disclosure
Cyber Essentials v3.3 implication	Internet-facing critical CVE; 14-day patching obligation

Putting this in context with the wider 2026 cyber picture

CVE-2026-0300 lands in a year already shaped by perimeter compromise. The UK government’s Cyber Security Breaches Survey 2025/2026 reported a doubling of breaches with revenue impact. The Fortinet and Cisco zero-days covered in our 21 April analysis defined a single working week in which two of the largest enterprise vendors shipped emergency hotfixes. The 27 April 2026 launch of Cyber Essentials v3.3 with the Danzell question set introduced the first auto-fail trigger in the scheme’s history for unpatched internet-facing critical CVEs. The government’s 22 April Cyber Resilience Pledge and £90m SME fund placed cyber resilience at board level and pushed Cyber Essentials through every supply chain. And the 22 April warning from the UK’s most senior security official confirmed that state-backed actors are scaling against UK businesses of every size. Read together, those five news cycles describe the operating environment in which CVE-2026-0300 will be weaponised over the next fortnight.

PAN-OS in your estate? Talk to Cloudswitched today.

A 30-minute exposure call confirms every Palo Alto Networks device in your estate, identifies whether the User-ID Authentication Portal is reachable from the public internet, and produces a named-owner remediation plan against the 13 May patch deadline. We will work alongside your existing IT team or MSP, with no obligation and no sales pressure — just the actionable view of where you stand this week.

Book a free PAN-OS exposure review

Frequently asked questions

We are on Prisma Access, not on-premises PAN-OS. Are we affected?

Possibly, depending on your tenant configuration. Pure cloud-only Prisma Access flows that never traverse a customer-managed PAN-OS appliance are governed by the cloud control-plane, which is updated by Palo Alto Networks centrally and is not impacted by CVE-2026-0300. However, hybrid deployments where Prisma Access fronts an on-premises PAN-OS firewall, or where the customer hosts a User-ID Authentication Portal on a regional gateway, do remain exposed. Confirm with Palo Alto Networks support which tenant components are customer-managed and which are vendor-managed for your specific subscription.

Cloud NGFW and Panorama are unaffected. What does that mean for me?

If your perimeter consists exclusively of Cloud NGFW deployments in AWS, Azure or GCP, those instances are not vulnerable to CVE-2026-0300; the affected component is not present in those product editions. Panorama itself, used as a management plane only, is also not vulnerable. However, Panorama-managed PA-Series and VM-Series firewalls are affected, and if Panorama is configured to push template stacks that enable the User-ID Authentication Portal across managed firewalls, you may have inadvertently widened the exposure surface across the estate. Audit your Panorama templates for any portal-enabling configuration.

Our IT is outsourced to a managed service provider. Do we still need to act ourselves?

Yes. Even if your MSP is already patching, you remain the data controller under UK GDPR and the policyholder on any cyber-insurance contract. Ask your MSP, in writing, for: the list of PAN-OS devices in your estate; the firmware version on each before and after this week’s mitigation work; the date and time mitigations were applied; whether the User-ID Authentication Portal was internet-facing at any point in the last 30 days; and confirmation of the planned date for the 13 May patch. Keep that confirmation on file. If anything goes wrong later, that paperwork is the evidence your insurer, your customers and the ICO will expect to see.

We don’t use the User-ID Authentication Portal at all. Are we safe?

Almost certainly, but verify rather than assume. The portal feature can be enabled at the global PAN-OS configuration level even if no policy actually references it for authentication. Run, on each PAN-OS device, the CLI command show running authentication-portal and confirm the portal is administratively disabled. If the portal is enabled but unused, disable it now as a precaution, regardless of whether you intend to apply the 13 May patch.

Does Cyber Essentials v3.3 force me to patch within 14 days?

Yes, and CVE-2026-0300 is exactly the class of vulnerability v3.3 was written to address. Under the Danzell question set effective 27 April 2026, any internet-facing critical CVE (CVSS 7.0 or higher) left unpatched beyond 14 days is an automatic certification fail. Because the patch ships on 13 May, the 14-day window will close on or about 27 May 2026. Plan your patching to land well inside that window. If you cannot patch within 14 days for documented business reasons, the portal-disabled mitigation is an acceptable compensating control provided it is recorded against the relevant Danzell question.

We have a change-control freeze. What should we do?

Use the compensating-controls path. The portal-disabled mitigation can be applied as a low-risk emergency change in most change-management frameworks, because it removes a feature rather than adding one. Document the change as “temporary mitigation against actively-exploited CVE-2026-0300, to be reversed once vendor patch applied,” raise the exception with your insurer and your Cyber Essentials assessor, and time-box the risk acceptance to the next available change window after 13 May. Compensating controls are accepted by most policies; silence is not.

How do we know if we have already been compromised?

Short of a forensic engagement, you cannot be 100% certain — which is precisely why perimeter-device attacks are so valuable to attackers. The practical approach is: (1) review HTTPS portal-interface access logs for unusual user-agents, abnormally long URL paths or repeated unauthenticated POSTs; (2) review the firewall’s own data-plane logs for outbound TLS to IPs not seen in the last 90 days; (3) check for new local administrative accounts or unscheduled scripts on the device; and (4) if any indicator is found, engage a qualified incident-response provider for a targeted triage engagement before you reboot, patch or reimage the affected appliance.

What does a managed PAN-OS service actually cost for a UK SME?

For a 20–50 staff UK business with a single-site PAN-OS HA pair, GlobalProtect VPN and basic User-ID integration, a competent managed-perimeter service typically ranges from £1,100 to £2,800 per month, depending on log-retention requirements, MFA integration scope and whether a 24/7 incident-response retainer is included. That number is overwhelmingly cheaper than the median cost of a single PAN-OS edge breach (£72k – £160k for a business in the same band), and it converts your perimeter from a periodic liability into a continuously-managed asset. Cloudswitched provides a fixed-fee tier explicitly aligned to the 14-day Cyber Essentials v3.3 patching obligation.

Is there a public proof-of-concept exploit?

At the time of writing, no public proof-of-concept exploit has been released. Working exploits exist privately within the small set of actors already conducting limited exploitation. Historical pattern for unauthenticated perimeter RCEs of this severity is that public proof-of-concept code lands on commodity exploit-sharing forums within 7–14 days of vendor disclosure. Treat the next two weeks as the highest-risk window, regardless of patch availability.

What is the bigger lesson here for UK SMEs?

The bigger lesson is that the perimeter is not a project, it is a programme. Every internet-facing device in your estate — whether a Palo Alto Networks firewall, a Fortinet VPN concentrator, a Cisco unified-communications cluster, an Ivanti gateway or a Citrix NetScaler — is one vendor advisory away from an emergency patch cycle. The businesses that absorb these weeks well are not the ones with the most expensive firewalls; they are the ones with a documented asset register, a KEV-driven patching trigger, an MFA-enforced management plane, central log shipping and a tested restore. CVE-2026-0300 will not be the last edge-device zero-day of 2026. The structural response is what gets you ready for the next one.

Closing — the seven days that will define your perimeter

Between this article and the patch on 13 May 2026, every UK SME running PAN-OS at the edge has a single decision to take and follow through. Either you treat the User-ID Authentication Portal as a live exposure today, mitigate it before close of business, and operate to the 7-day plan above — or you carry the risk of an unauthenticated root-level compromise on the most-trusted box in your network until the patch lands. Cyber Essentials v3.3, the Cyber Resilience Pledge and the £90m SME fund all point in the same direction: the regulatory, insurance and customer-supply-chain expectations of UK SMEs in 2026 are not compatible with a passive approach to the perimeter.

If you would like a Cloudswitched engineer to walk through your specific PAN-OS estate against the 7-day plan — identifying every appliance, every internet-facing portal interface, every mitigation status, and producing a named-owner remediation pack you can hand to your insurer or your Cyber Essentials assessor — book the no-obligation call below. The week is short. The patch ships in seven days. The mitigation can ship today.

Move the perimeter from a liability to a managed asset

Cloudswitched runs a managed Cyber Essentials and Cyber Security service that treats the perimeter as a continuously-maintained programme: edge-device discovery, KEV-driven patching, management-plane isolation, MFA rollout, central log shipping with 13-month retention, nightly config backup, quarterly tested restore, and a 24/7 incident-response retainer. We will assess your environment, propose a fixed-fee programme, and show you the operational evidence you can hand to insurers, assessors and customers.

Talk to Cloudswitched about a managed perimeter

Tags:Cyber SecurityCybersecurityIT Support

CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.

Palo Alto Zero-Day Hits Live: CVE-2026-0300 Lets Attackers Take Over PAN-OS Firewalls — The 7-Day UK SME Action Plan Before the 13 May Patch

What CVE-2026-0300 actually does

The 7-day timeline — how this week unfolded

Why this hits UK SMEs harder than the headline suggests

The wider 2026 perimeter pattern — vendors most affected

Where UK SMEs typically have hidden PAN-OS exposure

The cost of a PAN-OS edge-device breach — modelled for UK SME bands