TP-EXP-2026-0019 CVE-2026-0300 critical Active Exploitation AI Draft

PAN-OS: Unauthenticated Buffer Overflow in User-ID Authentication Portal (CVE-2026-0300)

CVE CVE-2026-0300 Platform Palo Alto Networks PAN-OS Type Buffer Overflow / RCE
Severity CRITICAL
Status Active Exploitation
Zero-Day Confirmed
Disclosed May 5, 2026
Researcher Discovered in production use CISA KEV Listed

CVE-2026-0300 is a critical unauthenticated buffer overflow vulnerability in the User-ID™ Authentication Portal (Captive Portal) service of Palo Alto Networks PAN-OS. An unauthenticated remote attacker can send specially crafted packets to trigger an out-of-bounds write (CWE-787), achieving arbitrary code execution with root privileges on PA-Series and VM-Series firewalls. CISA added this to the Known Exploited Vulnerabilities catalog on May 6, 2026 with a mandatory remediation deadline of May 9, 2026.

Severity Assessment

  • Exploitability: 9/10
  • Impact: 9/10
  • Weaponization Risk: 9/10
  • Patch Urgency: 10/10
  • Detection Coverage: 5/10

Exploitability (9/10): No authentication, no user interaction, network-accessible attack vector with low complexity. Palo Alto Networks rates exploit maturity as “Attacked” and fully automatable (CVSS AU:Y). Active exploitation has been confirmed against internet-exposed Authentication Portals.

Impact (9/10): Successful exploitation yields root-level arbitrary code execution on the firewall OS. An attacker with root access can exfiltrate configuration and credentials, disable security policies, intercept traffic, and pivot into protected internal segments. The vulnerable component is a perimeter security appliance.

Weaponization Risk (9/10): The exploit is rated automatable (CVSS AU:Y), meaning adversaries can script reliable exploitation at scanning scale. Active exploitation was observed prior to public disclosure, confirming working exploit code exists in the wild. CVSS 4.0 base score is 9.3 CRITICAL.

Patch Urgency (10/10): CISA KEV mandatory remediation deadline is May 9, 2026 for federal agencies. Patches are not yet available for all affected version branches. Interim mitigations (restricting portal access, Threat Prevention signature) can reduce but not eliminate risk until patches are applied.

Detection Coverage (5/10): A Threat Prevention signature (Threat ID 510019, content 9097-10022) is available but requires PAN-OS 11.1 or later, leaving 10.2 series deployments without signature-based coverage. Limited external behavioral telemetry exists since the exploit targets the management-adjacent Captive Portal service.

Summary

CVE-2026-0300 affects the User-ID™ Authentication Portal — also called Captive Portal — in PAN-OS running on PA-Series hardware firewalls and VM-Series virtual firewalls. The vulnerable service handles network-accessible authentication redirects; when an interface management profile with Response Pages is attached to an external interface, the service is reachable from untrusted networks.

An out-of-bounds write (CWE-787) in the Captive Portal’s packet-handling code allows an unauthenticated remote attacker to corrupt memory and redirect code execution, gaining root-level control of the firewall without any credentials or user interaction. The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H reflects maximum external exposure. Palo Alto Networks confirmed limited active exploitation at time of disclosure.

Affected versions:

  • PAN-OS 10.2: < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6
  • PAN-OS 11.1: < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15
  • PAN-OS 11.2: < 11.2.4-h17, < 11.2.7-h13, < 11.2.10-h6, < 11.2.12
  • PAN-OS 12.1: < 12.1.4-h5, < 12.1.7

Not affected: Prisma Access, Cloud NGFW, Panorama appliances.

Required exposure conditions (both must be true):

  1. User-ID™ Authentication Portal is enabled (Device > User Identification > Authentication Portal Settings).
  2. An interface management profile with Response Pages enabled is attached to an external or internet-accessible interface.

Exploit Chain

Stage 1: Reconnaissance — Captive Portal Discovery

An attacker scans for PAN-OS firewalls with internet-exposed User-ID Authentication Portals. Response pages and redirect behaviors consistent with PAN-OS Captive Portal are identifiable via HTTP fingerprinting, making vulnerable targets discoverable at scale. Palo Alto Networks rates the exploit as automatable (CVSS AU:Y).

Stage 2: Initial Access — Unauthenticated Packet Delivery

The attacker sends specially crafted network packets — requiring no credentials — to the Captive Portal service on the targeted firewall. The packets are designed to exceed a fixed buffer boundary within the portal’s packet-processing code path, triggering the CWE-787 out-of-bounds write condition.

[Attacker] → crafted packets → [PAN-OS Captive Portal service]
                                       |
                             Buffer boundary exceeded
                             (CWE-787: Out-of-bounds Write)
                                       |
                             Adjacent memory corrupted

Stage 3: Code Execution — Root-Level RCE

The out-of-bounds write corrupts adjacent memory structures within the Captive Portal service process. Controlled memory corruption allows the attacker to redirect execution flow to attacker-supplied code. Because the portal service runs with root privileges, exploitation directly yields full OS-level access on the firewall — no separate privilege escalation step is required.

Stage 4: Post-Exploitation — Firewall Compromise

With root access, an attacker can: exfiltrate firewall configuration, pre-shared keys, and credentials; modify or disable security policies; install persistent backdoors or implants in the firewall OS; intercept or manipulate traffic flows; and pivot laterally into protected network segments that the firewall was designed to defend.

Detection Guidance

SignalIndicatorConfidence
Threat Prevention Threat ID 510019Block/alert on content version 9097-10022 (PAN-OS 11.1+ only)HIGH
Malformed packets to Captive Portal portsOversized or structurally anomalous packet streams to Authentication Portal endpoints from untrusted IPsHIGH
Portal service crashes or restartsUnexpected core dumps or daemon restarts in the User-ID Authentication Portal process without administrative actionHIGH
Anomalous outbound connections from firewallNovel outbound sessions from firewall management or data-plane processes to external infrastructureMEDIUM
Unauthorized configuration changesUnexpected modifications to security policies, NAT rules, administrator accounts, or interface management profilesMEDIUM
Captive Portal response anomaliesMalformed HTTP responses from the portal service inconsistent with baseline behaviorLOW

Customers with active Threat Prevention subscriptions should immediately enable Threat ID 510019 (content version 9097-10022). Note: decoder support requires PAN-OS 11.1 or later. Customers on PAN-OS 10.2 should prioritize the access-restriction workaround until patches are available.

Indicators of Compromise

Palo Alto Networks has confirmed limited active exploitation; specific malware families, C2 infrastructure, and file hashes associated with observed attacks have not been publicly released at time of publication. The following behavioral indicators are consistent with exploitation activity:

  • Anomalous packet traffic to Captive Portal endpoints — crafted or oversized packets from untrusted external IPs targeting the Authentication Portal service.
  • Unexpected firewall process crashes — core dumps or service restarts in the User-ID Authentication Portal daemon without a scheduled maintenance cause.
  • Unauthorized outbound network connections from firewall OS — novel outbound sessions from management or data-plane processes to unrecognized external infrastructure.
  • Configuration drift — unexplained changes to security policies, NAT rules, administrator credentials, or interface management profiles post-incident.
  • Threat Prevention alerts on Threat ID 510019 — triggered on PAN-OS 11.1+ with content version 9097-10022, indicating active exploitation attempts.

Recommended Mitigations (in priority order):

  1. Apply patches immediately — First-wave hotfixes (ETA 2026-05-13): PAN-OS 11.2.7-h13, 11.2.10-h6, 11.1.4-h33, 11.1.6-h32, 11.1.10-h25, 11.1.13-h5, 10.2.10-h36, 10.2.18-h6, 12.1.4-h5. See Palo Alto Networks advisory for the full schedule.
  2. Restrict Captive Portal access — Limit User-ID Authentication Portal to trusted internal IP ranges only. Disable Response Pages in Interface Management Profiles on all interfaces where untrusted traffic ingresses. Keep Response Pages enabled only on internal/trust-zone interfaces.
  3. Disable Authentication Portal if unused — If the User-ID Authentication Portal is not operationally required, disable it immediately.
  4. Enable Threat Prevention — Enable Threat ID 510019 (content 9097-10022) on PAN-OS 11.1+. Note: PAN-OS 10.2 does not support this decoder.
  5. Audit external interface exposure — Verify that no interface management profile with Response Pages enabled is associated with any external or internet-accessible interface.

Disclosure Timeline

  • 2026-05-05 — Palo Alto Networks Public Disclosure Palo Alto Networks PSIRT publicly discloses CVE-2026-0300 with CVSS 9.3 CRITICAL rating. The advisory notes limited active exploitation targeting Authentication Portals exposed to untrusted networks. The vulnerability was discovered in production use, indicating prior adversary activity before public knowledge.

  • 2026-05-06 — CISA KEV Addition CISA adds CVE-2026-0300 to the Known Exploited Vulnerabilities catalog, confirming active exploitation. Federal agencies are required to remediate by 2026-05-09 under Binding Operational Directive 22-01.

  • 2026-05-06 — Threat Prevention Signature Released Palo Alto Networks updates the advisory with Threat Prevention Threat ID 510019 in Applications and Threats content version 9097-10022 for customers running PAN-OS 11.1 or later.

  • 2026-05-13 — First Wave Patches Available (ETA) Priority hotfix releases: PAN-OS 11.2.7-h13, 11.2.10-h6, 11.1.4-h33, 11.1.6-h32, 11.1.10-h25, 11.1.13-h5, 10.2.10-h36, 10.2.18-h6, 12.1.4-h5.

  • 2026-05-28 — Second Wave Patches Available (ETA) Remaining hotfix releases: PAN-OS 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21, 10.2.16-h7, 12.1.7.

Sources & References

zero-daypalo-alto-networkspan-osbuffer-overflowrceunauthenticatedcaptive-portaluser-idcisa-kevnetwork-perimeterfirewallcwe-787out-of-bounds-write