CVE-2026-0300: Unauthenticated RCE via PAN-OS Buffer Overflow
Active exploitation confirmed in the wild. CISA added this to the KEV catalog on 2026-05-06. Federal agencies must patch by 2026-05-09.
| Field | Value |
|---|---|
| CVE ID | CVE-2026-0300 |
| CVSS (NVD v3.x) | 9.8 (Critical) |
| Attack vector | Network/remote |
| Auth required | None (unauthenticated) |
| Patch status | Vendor indicates patches are available; verify in vendor advisory |
TL;DR - Critical PAN-OS bug in User-ID Authentication Portal enables unauthenticated root RCE on PA/VM firewalls. - It’s in CISA KEV; restrict/disable the portal immediately and deploy Palo Alto’s designated fixes. - Treat as emergency internet-exposed service hardening + rapid upgrade with compensating controls until patched.
Vulnerability at a Glance
CVE-2026-0300 is described by NVD as a buffer overflow in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS. An attacker can send specially crafted packets to trigger memory corruption leading to arbitrary code execution as root on affected firewalls. CISA’s KEV entry names it an out-of-bounds write, which is consistent with the same class of memory corruption outcomes.
Operationally, this matters because the affected component runs on the firewall itself, and successful exploitation yields root on a security control plane device. That creates a high-likelihood path to complete network compromise: attackers can alter policies, deploy traffic interception, disable logging, establish persistence, and pivot into protected segments—all from the perimeter.
Technical Notes
Vulnerability class: buffer overflow / out-of-bounds write
Affected service: User-ID Authentication Portal (Captive Portal)
Access: unauthenticated, remote/network
Impact: arbitrary code execution as root
What Is This Vulnerability?
The vulnerable functionality is the User-ID Authentication Portal, commonly associated with captive portal workflows where users authenticate to map IPs to identities for policy enforcement. According to NVD’s description, the weakness is exploitable by sending specially crafted packets to the portal service, causing a buffer overflow and enabling the attacker to execute code.
A critical point for defenders: this is not “just” a management UI issue; it is tied to a portal service that may be reachable depending on how you publish it (interfaces, zones, security rules, NAT, or even accidental exposure). Palo Alto explicitly notes that risk is greatly reduced by restricting access to the portal to trusted internal IPs—implying that many high-risk deployments are those where the portal is reachable from untrusted networks.
Technical Notes
The vendor best-practice guidance referenced in NVD is: - Restrict access to the User-ID Authentication Portal to only trusted internal IP addresses (per Palo Alto Networks knowledge base guidance linked from the NVD description).
Because the provided source snippet does not include packet format, vulnerable endpoint paths, or a CVSS vector string, defenders should assume: - Network-based exploitation is plausible with no prior authentication. - Internet exposure is high risk even if you believe the portal is “internal.”
Who Is Affected?
Per NVD’s description, PA-Series and VM-Series firewalls running PAN-OS are impacted when the User-ID Authentication Portal service is exposed in a way an attacker can reach it. This includes many real-world architectures where the firewall has interfaces in multiple zones and the portal might be enabled for internal or guest workflows.
Explicitly not impacted (per NVD description): - Prisma Access - Cloud NGFW - Panorama appliances
Affected versions and fixed versions (important limitation)
The authoritative vendor advisory is: Palo Alto Networks Security Advisory
However, the research inputs available for this article did not include the remediation matrix from the vendor page (the captured HTML snippet was truncated). As a result:
- Affected version ranges: Unknown from the provided source snippet
- Fixed version number(s): Unknown from the provided source snippet
In the absence of the exact ranges, defenders should assume the following until they verify directly in the vendor advisory: 1. Any PAN-OS version running on PA-Series/VM-Series with the User-ID Authentication Portal enabled could be at risk. 2. Exposure and reachability (security rules, zones, NAT, interface bindings) are key risk multipliers. 3. If you cannot immediately confirm “fixed in X.Y.Z,” treat the device as vulnerable and apply compensating controls.
Technical Notes
Minimum verification steps to prioritize exposure: - Inventory PA-Series and VM-Series running PAN-OS. - Determine whether User-ID Authentication Portal (Captive Portal) is enabled and reachable from untrusted zones. - Validate against Palo Alto’s advisory remediation table for exact “affected” and “fixed” releases.
CVSS Score Breakdown (What 9.8 Means in Practice)
NVD lists a CVSS base score of 9.8 (Critical) for CVE-2026-0300, which typically corresponds to remote exploitation, low complexity, no privileges required, and high impact on confidentiality/integrity/availability. The exact CVSS vector string was not provided in the available NVD output for this write-up, so we cannot cite the individual metric values.
Even without the full vector, the combination of unauthenticated + network reachable + root code execution is sufficient to treat this as an emergency. For perimeter devices, “root RCE” is the top tier: it’s not only the device that’s at stake, but also trust placed in it (policy enforcement, VPN termination, routing, logging).
From a response planning standpoint, CVSS 9.8 should trigger: - Immediate exposure reduction (disable/restrict service) - Emergency change window for patching - Post-mitigation threat hunting and integrity checks, because exploitation in the wild is confirmed.
Technical Notes
Because exploitation is confirmed in the wild (CISA KEV), assume: - Opportunistic scanning and exploitation attempts may already be targeting your public IP space. - “Not internet-exposed” is not enough if you have partner networks, guest networks, or routing paths where the portal is reachable.
Exploitation Status (In the Wild? PoC?)
Exploitation in the wild: Yes. CVE-2026-0300 is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, which is a strong signal of confirmed real-world exploitation. CISA KEV entry dateAdded is 2026-05-06 with a dueDate of 2026-05-09, indicating urgency for federal agencies and a good benchmark for enterprise response timelines.
Public PoC: Unknown / not evidenced in provided sources. The references available in the provided research note do not include a public proof-of-concept link, and no GitHub references were captured. That doesn’t mean a PoC does not exist; it only means we cannot responsibly claim one is public based on the provided evidence. Defenders should assume exploit code is circulating privately given KEV inclusion, and should prioritize mitigation accordingly.
Ransomware use: Unknown. CISA KEV lists knownRansomwareCampaignUse as Unknown, so do not assume ransomware linkage—but do assume the access gained is sufficient to enable ransomware operators.
Technical Notes
Operational guidance when KEV-listed but PoC visibility is unclear: - Treat as “weaponized” for prioritization. - Monitor for scanning/exploitation attempts at the edge even if you cannot identify an exact exploit signature.
How to Detect It
Detection for memory corruption exploitation on an appliance is often indirect: you may not see clean “attack strings,” but you can detect exposure, probing, service-specific access, and post-exploitation behaviors (unexpected processes, config changes, reboots, or outbound connections). With the limited public detail in the provided sources (no packet format, no URI path, no known IOC set), detection should focus on:
- Network traffic to the User-ID Authentication Portal service from untrusted IPs or unexpected zones.
- Anomalous portal authentication requests at unusual times or volumes.
- Device instability correlated with bursts of inbound traffic (crash/restart patterns consistent with attempted exploitation).
You should also treat any firewall where the portal was internet-reachable during the exploitation window as potentially compromised, especially if you see unexplained configuration changes, new admins, policy changes, or unusual outbound connections.
Technical Notes (detection queries / patterns)
Because the exact exploit payload signature is not available in the provided sources, use concrete, environment-driven detection:
1) Identify exposure and hits to captive portal (PAN-OS Traffic logs)
Query for inbound sessions to the portal destination port(s) from untrusted zones. The exact port can vary by deployment (often web-based). Start with common web ports used on the interface hosting the portal.
Example approach (adapt to your SIEM fields):
-- Pseudocode / SIEM-style query
SELECT *
FROM pan_traffic
WHERE (app IN ('ssl','web-browsing','incomplete') OR dport IN (80,443,8080,8443))
AND (dst_zone IN ('untrust','internet') OR src_zone IN ('untrust','internet'))
AND action = 'allow'
AND dst_ip IN (<firewall_interface_ips_or_portal_vip>)
ORDER BY time DESC;
2) Look for scanning patterns (high-rate, many sources, short sessions)
SELECT dst_ip, dport, COUNT(*) AS hits, COUNT(DISTINCT src_ip) AS uniq_sources
FROM pan_traffic
WHERE dst_ip IN (<portal_ips>)
AND dport IN (80,443,8080,8443)
AND action = 'allow'
AND time > now() - interval '7 days'
GROUP BY dst_ip, dport
HAVING COUNT(DISTINCT src_ip) > 50 OR COUNT(*) > 1000
ORDER BY hits DESC;
3) Concrete log pattern to watch (system instability)
If exploitation attempts trigger crashes, you may see unexpected restarts or daemon crashes. Without vendor-specific strings in the provided sources, use generic patterns in system logs:
Pattern ideas to alert on (case-insensitive):
- "panic"
- "segfault"
- "core dumped"
- "process crashed"
- "unexpected reboot"
If you have centralized logging from PAN-OS system logs, build alerts on spikes of those keywords correlated with inbound portal traffic.
Mitigation and Patching
CISA’s KEV guidance and the NVD description emphasize two immediate risk-reduction steps:
-
Restrict access to the User-ID Authentication Portal to only trusted internal IP addresses / trusted zones.
This is the fastest control to reduce exploitability, particularly if your portal is reachable from the internet or broadly from internal networks. Implement explicit security policies limiting source IP ranges and zones, and remove any NAT/port-forward rules that publish the service to untrusted networks. -
Disable the User-ID Authentication Portal if not required.
If you are not actively using Captive Portal/User-ID authentication workflows, disable the feature to remove the attack surface. This is often the best mitigation during patch rollout in environments where the business function is not required.
Separately, patching is required. CISA notes (as of 2026-05-13) that “Palo Alto has released a variety of patches” and instructs organizations to apply the designated patch relevant to their environment. Because the fixed version numbers and affected version ranges are not available in the provided snippet, you must consult the vendor advisory remediation table and match it to your PAN-OS train and platform.
Technical Notes (specific upgrade/workaround steps)
Workaround 1: Restrict portal access to trusted zones/IPs (immediate)
Implement a least-privilege security policy:
- Source zone: internal/trusted only
- Source IPs: explicit allowlist
- Destination: firewall interface IP / portal VIP
- Application/service: the portal’s web service ports
- Deny everything else
Example policy intent (conceptual—implement in your environment tooling):
ALLOW: src_zone=trust src_ip=10.0.0.0/8,192.168.0.0/16 -> dst=<portal_ip> service=tcp/443
DENY: any -> dst=<portal_ip> service=tcp/443 (and any other portal ports)
Workaround 2: Disable User-ID Authentication Portal if not needed (immediate)
Exact UI/CLI steps vary by PAN-OS version and deployment; the provided sources do not include a command sequence. In the absence of exact commands, defenders should:
- Locate “User-ID” / “Captive Portal” configuration in PAN-OS and disable the Authentication Portal service
- Commit changes
- Validate that inbound sessions to the portal ports are no longer accepted
If you require captive portal for business, prioritize restriction to trusted zones as above and shorten patch timelines.
Patching: upgrade to Palo Alto’s fixed release (required)
A “specific upgrade command” is environment/tooling dependent:
- If you use the PAN-OS web UI: Device → Software and install the fixed PAN-OS version referenced in the vendor advisory.
- If you use automation (e.g., Ansible/Terraform/PAN-OS APIs): update to the fixed PAN-OS image/version per your standard upgrade pipeline.
Because the fixed version number is not present in the provided research snippet, do not guess. Instead: 1. Open Palo Alto Networks Security Advisory 2. Identify your current PAN-OS version and the “Fixed in” version for your train 3. Execute your standard upgrade procedure to that exact fixed version (or later)
Post-patch, keep the access restriction in place unless there is a strong business need to broaden access.
Practitioner Checklist (What to Do Next)
First, treat this as an incident-prevention + exposure-reduction action even before patching completes. Because exploitation is confirmed, assume attackers are scanning broadly and that “time-to-mitigate” matters as much as “time-to-patch.”
Second, validate whether your environment is actually reachable: it’s common to assume captive portal is internal-only, but NAT rules, guest networks, or mis-scoped security policies can unintentionally expose it. Confirm reachability from untrusted networks and from partner segments.
| Priority | Action | Outcome |
|---|---|---|
| P0 | Restrict User-ID Authentication Portal access to trusted zones/IPs | Immediate reduction of exploitability |
| P0 | Disable the portal if not required | Removes attack surface |
| P1 | Patch to vendor-designated fixed PAN-OS release | Eliminates the vulnerable code path |
| P1 | Hunt for anomalies (portal hits, crash patterns, config changes) | Detect possible compromise |
| P2 | Maintain least-privilege exposure for the portal long-term | Prevents recurrence |
References
- Palo Alto Networks Product Security Advisory: CVE-2026-0300
- CISA Known Exploited Vulnerabilities (KEV) entry: CISA KEV Catalog
- Siemens ProductCERT advisory: Siemens ProductCERT
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.