Critical PAN-OS Captive Portal Flaw Let Attackers Gain Root on Firewalls
Palo Alto Networks disclosed CVE-2026-0300, a critical CWE-787 out-of-bounds write in the PAN-OS User-ID Authentication Portal, also known as the Captive Portal, that allows an unauthenticated attacker to achieve remote code execution as root on affected PA-Series and VM-Series firewalls. The flaw was reported as actively exploited in the wild and added to CISA's Known Exploited Vulnerabilities catalog, with exploitation observed against portals reachable from untrusted networks or the public internet. Palo Alto said Prisma Access, Cloud NGFW, and Panorama are not affected, while vulnerable PAN-OS branches included 10.2, 11.1, 11.2, and 12.1 below fixed releases.
Reporting on observed intrusions said attackers used the firewall access for shellcode injection into nginx worker processes, credential extraction, Active Directory enumeration, outbound tunneling with tools such as EarthWorm and ReverseSocks5, internal pivoting, and anti-forensic log cleanup. Palo Alto began releasing patches in staged waves and urged defenders to disable the Captive Portal if unused or restrict it to trusted IPs and zones, enable available threat-prevention signatures, and treat previously exposed devices as potentially fully compromised by auditing configurations, checking admin accounts and SSH keys, rotating credentials, and monitoring for persistence or suspicious outbound connections.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Initial PAN-OS fixes begin rolling out
Palo Alto Networks began releasing patches for CVE-2026-0300 in staged waves starting on May 13, 2026, for affected PAN-OS branches. The company continued to recommend restricting Authentication Portal access to trusted zones or disabling the feature until systems were fully remediated.
Palo Alto publishes staged patch schedule for affected PAN-OS branches
At disclosure, Palo Alto said fixes were not yet available but published estimated release dates for patched PAN-OS versions. Reporting said the first wave of patches would begin on May 13, 2026, followed by a second wave on May 28, 2026.
CISA adds CVE-2026-0300 to the KEV catalog
On May 6, 2026, CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities catalog due to active exploitation. The listing set a remediation deadline of May 9, 2026 for affected federal agencies.
Palo Alto discloses CVE-2026-0300 and confirms active exploitation
On May 6, 2026, Palo Alto Networks disclosed CVE-2026-0300 as a critical unauthenticated out-of-bounds write / buffer overflow in the PAN-OS User-ID Authentication Portal that can lead to root-level remote code execution on affected PA-Series and VM-Series firewalls. The vendor said the flaw was being actively exploited in the wild and advised restricting or disabling the Captive Portal where possible.
Attackers achieve successful RCE and post-exploitation activity
By April 16, 2026, attackers had achieved remote code execution as root via CVE-2026-0300. Reported follow-on activity included shellcode injection into nginx worker processes, credential extraction, Active Directory enumeration, anti-forensic log cleanup, and outbound tunneling with tools such as EarthWorm and ReverseSocks5.
Exploitation of PAN-OS Captive Portal flaw begins
Palo Alto Networks and Unit 42 observed limited in-the-wild exploitation of CVE-2026-0300 starting on April 9, 2026, targeting PAN-OS User-ID Authentication Portals exposed to untrusted networks or the public internet.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
CVE-2026-0300 PAN-OS: от buffer overflow до root RCE
codeby.net
Open sourceCVE-2026-0300 PAN-OS: buffer overflow до root - разбор
codeby.net
Open sourceCVE-2026-0300 PAN-OS: buffer overflow до root shell
codeby.net
Open sourceMay 7 Advisory: Palo Alto PAN-OS User-ID Authentication Portal Buffer Overflow [CVE-2026-0300] - Censys
censys.com
Open sourcePalo Alto Networks Patches Exploited PAN-OS Zero-Day - TechNadu
technadu.com
Open sourceCVE-2026-0300 | Tenable®
tenable.com
Open sourceCritical Vulnerability in PaloAlto PAN-OS Authentication Portal (CVE-2026-0300)
labs.beazley.security
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Exploited PAN-OS Captive Portal Flaw Gives Attackers Root on Exposed Firewalls
Palo Alto Networks disclosed **CVE-2026-0300**, a critical `CWE-787` buffer overflow in the PAN-OS User-ID Authentication Portal (Captive Portal) that allows **unauthenticated remote code execution as root** on affected **PA-Series** and **VM-Series** firewalls. The flaw carries a **CVSS v4 score of 9.3** when the portal is exposed to untrusted networks or the public internet, and Palo Alto confirmed limited in-the-wild exploitation against exposed portals. Affected versions span PAN-OS 10.2, 11.1, 11.2, and 12.1, while **Prisma Access, Cloud NGFW, and Panorama are not affected**. With patches not immediately available at disclosure, Palo Alto said fixed releases would begin rolling out between May 13 and May 28 and urged customers to restrict portal access to trusted internal zones or disable the feature entirely; the company also released a Threat Prevention Signature for PAN-OS 11.1 and later. U.S. **CISA** added the vulnerability to its **Known Exploited Vulnerabilities** catalog and ordered federal civilian agencies to remediate by the mandated deadline, while other national and regional cyber authorities issued parallel alerts. Palo Alto Unit 42 and multiple reports linked the activity to a likely state-sponsored cluster tracked as **CL-STA-1132**, which reportedly probed targets for weeks, injected shellcode into an `nginx` worker process, deleted crash artifacts and logs, enumerated Active Directory through firewall-linked service accounts, and used **EarthWorm** and **ReverseSocks5** tunnels for command and control and lateral movement. Researchers warned that thousands of internet-exposed PAN-OS instances remain reachable, making perimeter firewalls with exposed Captive Portal services high-priority compromise candidates.
Jun 8, 2026
Palo Alto PAN-OS Flaws Enable Root Command Execution, Privilege Escalation, and DoS
Palo Alto Networks disclosed and patched multiple vulnerabilities in **PAN-OS** affecting **PA-Series**, **VM-Series**, and **Panorama**, including `CVE-2026-0273`, an authenticated administrator command injection flaw in the **CLI** and **web management interface** that can allow arbitrary commands to run as **root**. The vendor also fixed `CVE-2026-0272`, an authenticated **CLI privilege escalation** issue, and `CVE-2026-0266`, a **stored XSS** vulnerability in the web interface. A separate issue, `CVE-2026-0269`, can trigger a **denial of service** through crafted tunnel traffic and repeatedly reboot affected firewalls, potentially forcing them into maintenance mode. Affected versions span supported **PAN-OS 12.1, 11.2, 11.1, and 10.2** release trains, while **Cloud NGFW** and **Prisma Access** were reported as unaffected. Palo Alto Networks said it was not aware of active exploitation at disclosure time and urged customers to upgrade promptly, restrict management access to trusted internal IPs, limit CLI exposure, and use hardened jump boxes; for `CVE-2026-0273`, organizations with **Threat Prevention** can also enable dedicated **Threat IDs** to help block exploit attempts when management traffic is inspectable and decrypted.
Jun 12, 2026
Palo Alto PAN-OS Authentication Bypass Exposes CAS-Enabled Firewalls and Panorama
Palo Alto Networks released security advisories for multiple **PAN-OS** branches after disclosing several serious flaws, including `CVE-2026-0265`, an authentication bypass caused by a signature verification weakness when **Cloud Authentication Service (CAS)** is enabled and attached to a login interface. The issue affects **PA-Series**, **VM-Series**, and **Panorama** deployments, while **Cloud NGFW** and **Prisma Access** are not affected. Palo Alto also warned of a heap-based buffer overflow in the DNS Proxy and DNS Server that could enable unauthenticated remote code execution, as well as a separate remote code execution flaw in **IKEv2** processing across supported releases including 12.1, 11.2, 11.1, and 10.2. The Canadian Centre for Cyber Security urged administrators to review Palo Alto’s advisories, apply mitigations, and install updates, with fixes already issued for many affected versions and additional patches expected for some branches. Rapid7 said organizations using CAS should prioritize emergency patching rather than depend on workarounds, while researcher Harsh Jaiswal of HacktronAI publicly claimed successful exploitation of the authentication bypass against multiple companies’ **GlobalProtect** portals to obtain VPN access; Palo Alto had not confirmed in-the-wild exploitation as of May 14.
May 25, 2026