Executive Summary
CVE-2026-0300 is a critical, unauthenticated buffer overflow (CWE-787 out-of-bounds write) in the User-ID™ Authentication Portal (Captive Portal) service of Palo Alto Networks PAN-OS. By sending specially crafted network packets, an unauthenticated remote attacker can gain root-level code execution on affected PA-Series and VM-Series firewalls. Active exploitation in the wild has been confirmed as of early May 2026, and official patches are not universally available until May 13–28, 2026 — making immediate workarounds essential for any organization with the Captive Portal exposed to untrusted networks or the public internet.
1. What Is This Vulnerability?
Technical Breakdown
The User-ID™ Authentication Portal (commonly called the Captive Portal) is a PAN-OS service that intercepts HTTP/HTTPS traffic from unauthenticated users and redirects them to a login page before permitting network access. The vulnerability resides in how this portal's service process handles incoming network packets: a specific class of malformed request triggers an out-of-bounds write condition in a heap- or stack-allocated buffer, overwriting adjacent memory regions with attacker-controlled data.
Because the portal process runs with root privileges and the flaw is reachable without any prior authentication, a successful exploit yields a full root shell on the firewall appliance — bypassing all network security controls the device is meant to enforce.
The weakness is classified as CWE-787 (Out-of-Bounds Write). At its core, the service fails to validate the length of a user-supplied field in the authentication request before copying it into a fixed-size buffer, a classic stack-smashing or heap-overflow pattern.
Attack Vector
Attacker (unauthenticated, network)
│
│ Sends specially crafted HTTP/HTTPS packet
│ to User-ID Authentication Portal port
▼
PAN-OS Captive Portal Service (running as root)
│
│ Out-of-bounds write triggered in portal
│ service buffer
▼
Arbitrary code execution → Root shell on firewall
- Attacker locates an internet-facing PAN-OS Captive Portal (scanning for common portal redirect patterns or TCP ports used by PAN-OS management/data-plane services).
- Attacker sends a single specially crafted unauthenticated HTTP request containing an oversized field.
- The portal service writes beyond its allocated buffer, corrupting control-flow data (return address, vtable pointer, or function pointer).
- Attacker-controlled shellcode or ROP chain executes as root.
- From this foothold, the attacker can install persistent backdoors, pivot to internal network segments, exfiltrate firewall configs and credentials, or disable security policies entirely.
Real-World Impact
Palo Alto Networks confirmed limited active exploitation in the wild targeting portals exposed to untrusted IP addresses and the public internet as of May 2026. Because these are network-perimeter devices, a compromised firewall is effectively a master key to the entire network segment behind it — making this an extremely high-value target for nation-state actors and ransomware operators alike. Historical precedent (e.g., CVE-2024-3400, a previous PAN-OS zero-day) shows that sophisticated threat groups move quickly to weaponize PAN-OS vulnerabilities at scale.
2. Who Is Affected?
| Component | Affected? |
|---|---|
| PA-Series firewalls (hardware appliances) with Captive Portal enabled | YES |
| VM-Series firewalls (virtual appliances) with Captive Portal enabled | YES |
| Firewalls with User-ID Auth Portal disabled | No |
| Prisma Access | No |
| Cloud NGFW | No |
| Panorama (management plane) | No |
Vulnerable PAN-OS Versions (patch not yet released as of 2026-05-07)
- PAN-OS < 12.1.4-h5
- PAN-OS < 11.2.7-h13
- PAN-OS < 11.2.10-h6
- PAN-OS < 11.1.4-h33
- PAN-OS < 11.1.6-h32
- PAN-OS < 11.1.10-h25
- PAN-OS < 11.1.13-h5
- PAN-OS < 10.2.10-h36
- PAN-OS < 10.2.18-h6
Patches for these versions are scheduled for phased release between May 13 and May 28, 2026.
CVSS Context
| Exposure Scenario | CVSS Score |
|---|---|
| Captive Portal exposed to internet / untrusted network | 9.3 (Critical) |
| Captive Portal restricted to trusted internal IPs only | 8.7 (High) |
Even "internal-only" exposure is High severity because attackers with any internal network foothold (phishing, supply chain, compromised endpoint) can still trigger the vulnerability.
3. How to Detect It (Testing)
Step 1 — Check Whether Captive Portal Is Enabled
Log in to the PAN-OS web UI or CLI and determine whether User-ID Authentication Portal is active:
# Via PAN-OS CLI (SSH to firewall)
show user interface all
show user captive-portal statistics
If output lists an active portal interface, the service is running. Alternatively, in the web UI navigate to:
Network → Network Profiles → Interface Mgmt and check which interfaces have the User-ID and Captive Portal checkboxes enabled.
Step 2 — Check Internet Exposure
Confirm whether the Captive Portal service is reachable from untrusted networks:
# From an external host or untrusted VLAN
curl -v --max-time 5 https://<firewall-external-IP>/php/uid.php
curl -v --max-time 5 http://<firewall-external-IP>/
# Or use nmap
nmap -p 80,443,6081 <firewall-external-IP> --open
If the portal redirect page loads from an untrusted IP, the device is externally exploitable.
Step 3 — Review Firewall Policy for Portal Zone Rules
In the web UI go to Policies → Security and look for rules that permit traffic from "Untrust" or "any" zones to the zone hosting the Captive Portal interface. Permissive policies here confirm exposure.
Automated Scanning
- Tool: Palo Alto Networks Threat Prevention (built-in, for PAN-OS 11.1+)
- Signature released May 5, 2026 — ensure Content Update is current
- Navigate to Objects → Security Profiles → Vulnerability Protection and confirm the CVE-2026-0300 signature is active.
- Tool: Tenable Nessus / Tenable.io
- Search plugin library for "CVE-2026-0300" after a content update
- Run a credentialed scan against the firewall's management IP
- Tool: Rapid7 InsightVM / Nexpose
- Run against PAN-OS targets; check for "Palo Alto Networks PAN-OS User-ID Authentication Portal Buffer Overflow" check
Code Review / Configuration Checklist
- Confirm User-ID Authentication Portal is disabled on all externally-facing interfaces
- Verify Captive Portal zone is restricted to trusted source IPs via Security Policy
- Check that PAN-OS Content Version is >= 8972 (includes Threat Prevention signature for CVE-2026-0300)
- Review all Interface Management Profiles — remove "User-ID" checkbox from untrusted interfaces
- Audit all management access rules in Device → Setup → Management
4. How to Fix It (Mitigation)
Immediate Workarounds (Pre-Patch)
Apply all three of the following workarounds now, before patches are available:
Workaround 1 — Disable Captive Portal If Not Required
If your environment does not rely on Captive Portal for user authentication, disable it entirely:
- Web UI: Navigate to Network → Network Profiles → Interface Mgmt
- For each Interface Management Profile, uncheck User-ID and Captive Portal
- Click OK → Commit
CLI equivalent:
configure
set network profiles interface-management-profile <profile-name> enable-userid no
commit
Workaround 2 — Restrict Portal Access to Trusted IPs Only
If Captive Portal is required, strictly limit access to known-good internal IP ranges:
- Web UI: Navigate to Policies → Security
- Find or create a rule governing traffic to the portal zone
- Set Source Address to your specific trusted internal IP ranges only (never "any")
- Explicitly deny all other source IPs in a rule beneath it
- Commit
Also restrict at the Interface Management Profile level:
- Navigate to Network → Network Profiles → Interface Mgmt → [profile]
- Under Permitted IPs, add your trusted internal ranges
- Remove any "0.0.0.0/0" or unrestricted entries
- Commit
Workaround 3 — Enable Threat Prevention Signature (PAN-OS 11.1+)
For firewalls running PAN-OS 11.1 or above:
- Update Content Database to the latest version:
- Device → Dynamic Updates → Applications and Threats → Check Now
- Install the latest update (content version ≥ 8972)
- Ensure a Vulnerability Protection profile is applied to all Security Policy rules:
- Objects → Security Profiles → Vulnerability Protection
- Confirm the profile is set to block or reset-both for critical/high severity signatures
- Attach the profile to all relevant security policies and commit
Applying the Official Patch (When Available, ~May 13–28, 2026)
- Check current version:
show system info | match sw-version - Download hotfix from support.paloaltonetworks.com for your branch:
- 12.1 → upgrade to 12.1.4-h5 or later
- 11.2 → upgrade to 11.2.7-h13 or 11.2.10-h6 or later
- 11.1 → upgrade to 11.1.4-h33, 11.1.6-h32, 11.1.10-h25, or 11.1.13-h5 or later
- 10.2 → upgrade to 10.2.10-h36 or 10.2.18-h6 or later
- Stage the image:
- Web UI: Device → Software → Upload (or download directly)
- Install during maintenance window:
- Web UI: Device → Software → Install
- CLI:
request system software install version <version>
- Reboot if required (hotfixes typically require a reboot)
- Verify:
show system info | match sw-version
Before/After Configuration Comparison
BEFORE (vulnerable — portal exposed to any source):
Security Policy Rule:
Source Zone: untrust
Source Address: any
Destination Zone: captive-portal-zone
Action: allow
AFTER (hardened — portal restricted):
Security Policy Rule:
Source Zone: trust
Source Address: 10.10.0.0/16 (specific trusted range)
Destination Zone: captive-portal-zone
Action: allow
Security Policy Rule (below):
Source Zone: any
Source Address: any
Destination Zone: captive-portal-zone
Action: deny ← explicit deny all others
5. How to Test the Fix (Validation)
Regression Test Scenarios
- Scenario A: Attempt to reach the Captive Portal from an untrusted external IP — expected result: connection refused or timed out
- Scenario B: Legitimate internal users with authorized IPs can still authenticate via Captive Portal — expected result: portal loads normally
- Scenario C: Firewall security policies still enforce intended allow/deny behavior for all other traffic — expected result: no unexpected policy changes
Security Test Case 1 — Verify Portal Is No Longer Externally Reachable
# From an external IP (untrusted network)
curl -v --connect-timeout 5 https://<firewall-public-ip>/php/uid.php
# Expected: Connection timed out or TCP RST — NOT a redirect or HTML page
Security Test Case 2 — Confirm Threat Prevention Signature Is Blocking (PAN-OS 11.1+)
Check Threat logs after sending a benign probe toward the portal zone:
- Monitor → Logs → Threat
- Filter:
( severity eq critical ) and ( threat-name contains '2026-0300' ) - Expected: A block or reset log entry confirming the signature fired
Security Test Case 3 — Verify Patch Version
# PAN-OS CLI
show system info | match sw-version
# Expected output: version matching or exceeding the fixed hotfix for your branch
Automated Validation Script
#!/bin/bash
# Quick external reachability check for CVE-2026-0300 Captive Portal exposure
FIREWALL_IP="$1"
echo "[*] Testing Captive Portal exposure on $FIREWALL_IP..."
RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
--connect-timeout 5 \
--max-time 8 \
-L "https://$FIREWALL_IP/php/uid.php" 2>/dev/null)
if [[ "$RESPONSE" == "200" || "$RESPONSE" == "302" || "$RESPONSE" == "301" ]]; then
echo "[FAIL] Captive Portal is externally reachable (HTTP $RESPONSE). APPLY WORKAROUNDS IMMEDIATELY."
elif [[ "$RESPONSE" == "000" ]]; then
echo "[PASS] No response — portal appears unreachable from this network."
else
echo "[INFO] HTTP $RESPONSE — manual verification recommended."
fi
Usage: bash check_cve_2026_0300.sh <firewall-public-ip>
6. Prevention & Hardening
Best Practices
- Never expose management-plane services to the internet. Captive Portal, the web UI, and SSH management access should always be locked down to management-only IP ranges via Interface Management Profiles.
- Apply the principle of least-privilege to firewall zones. Any zone hosting a user-facing service should have explicit "deny-all-except" source IP controls — not open allow policies.
- Maintain current content/threat prevention databases. Enable automatic daily or twice-daily updates for Applications and Threats signatures on all PAN-OS devices.
- Subscribe to Palo Alto Networks Security Advisories. Subscribe at security.paloaltonetworks.com so your team receives advisories the moment they are published.
- Use a dedicated out-of-band management network. Firewall management traffic should traverse a physically or logically separate management network, not the data plane.
- Segment firewall management with MFA. Require phishing-resistant MFA (e.g., hardware tokens or FIDO2) for all firewall administrative logins.
- Conduct regular attack surface reviews. At minimum quarterly, enumerate all externally reachable services on perimeter devices using external vulnerability scanners.
Monitoring & Detection
Even before the official patch is released, the following detections should be in place:
- PAN-OS Threat Logs: Alert on any high/critical vulnerability signatures firing against the Captive Portal zone. Filter:
threat-name contains 'buffer-overflow' or '2026-0300' - Syslog / SIEM: Forward PAN-OS threat and system logs to your SIEM. Create an alert for any
THREATlog event from untrusted source zones toward the portal management interface. - Network Anomaly Detection: Watch for unusual TCP connection patterns to ports 80/443 on the firewall's external interface — especially repeated connection attempts with large payloads that don't follow normal HTTP patterns.
- Honeypot Canaries: If you have decoy Captive Portal-like pages in a canary zone, alert on any unexpected authentication attempts from untrusted sources.
- EDR/NDR on Management Network: Deploy network detection for the management segment to catch any unexpected outbound connections from the firewall (a sign of post-exploitation callback).
References
- Official Palo Alto Advisory: CVE-2026-0300 — PAN-OS User-ID Authentication Portal Buffer Overflow
- Wiz Blog Technical Analysis: Critical Buffer Overflow Vulnerability in PAN-OS Exploited in-the-Wild
- Help Net Security: Root-level RCE vulnerability in Palo Alto firewalls exploited
- The Hacker News: Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution
- SecurityWeek: Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls
- Technadu Patch Schedule: Palo Alto Networks to Patch Exploited PAN-OS Zero-Day (CVE-2026-0300) Starting May 13
- SOCRadar Analysis: CVE-2026-0300 Enables Root RCE in PAN-OS Captive Portal
- NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2026-0300
- Palo Alto Support Portal (patch downloads): https://support.paloaltonetworks.com