Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2026-0300 Enables Root RCE in PAN-OS Captive Portal
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | May 2026: TeamPCP's Supply Chain Blitz Hits Checkmarx, GitHub, and npm
May 2026: TeamPCP's Supply Chain Blitz Hits Checkmarx, GitHub, and npm
Jun 16, 2026
SOCRadar® Cyber Intelligence Inc. | FortiBleed: How 30,000 Fortinet Firewalls Exposed Corporate Networks Quietly
FortiBleed: How 30,000 Fortinet Firewalls Exposed Corporate Networks Quietly
Jun 16, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20262: Cisco Catalyst SD-WAN Manager Zero-Day Leads to Root
CVE-2026-20262: Cisco Catalyst SD-WAN Manager Zero-Day Leads to Root
Jun 16, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-35273 in Oracle PeopleSoft PeopleTools EMHub Under Active Exploitation
CVE-2026-35273 in Oracle PeopleSoft PeopleTools EMHub Under Active Exploitation
Jun 12, 2026
SOCRadar® Cyber Intelligence Inc. | Ivanti Sentry’s CVE-2026-10520 Enables Root RCE
Ivanti Sentry’s CVE-2026-10520 Enables Root RCE
Jun 10, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
May 06, 2026
5 Mins Read
Moon

CVE-2026-0300 Enables Root RCE in PAN-OS Captive Portal

Palo Alto Networks disclosed CVE-2026-0300, a critical pre-authentication buffer overflow in the User-ID™ Authentication Portal (Captive Portal) service in PAN-OS. Under the right exposure conditions, an unauthenticated attacker can trigger remote code execution (RCE) as root on affected PA-Series and VM-Series firewalls.

The vendor rates exploit maturity as “ATTACKED” and reports limited exploitation has been observed, focused on portals exposed to untrusted networks or the public internet.

This post explains what the flaw is, who is exposed, what we know about exploitation, and what defenders should do immediately.

What Is CVE-2026-0300?

CVE-2026-0300 (CVSS 9.3) is a buffer overflow vulnerability (mapped to CWE-787: Out-of-bounds Write) in PAN-OS’s User-ID™ Authentication Portal, also referred to as the Captive Portal service.

The access model matters: this is pre-auth and network-reachable. An attacker does not need credentials to reach the vulnerable code path if the portal is accessible, and successful exploitation can result in arbitrary code execution with root privileges.

Palo Alto Networks describes exploitation as sending specially crafted packets to the service to trigger the overflow and execute code as root.

Which Palo Alto Networks Products Are Affected?

The issue affects Palo Alto Networks PAN-OS running on:

Also, Palo Alto Networks explicitly states these are not impacted:

  • Prisma Access
  • Cloud NGFW
  • Panorama appliances

If your organization primarily uses Prisma Access or Cloud NGFW, this specific CVE is not expected to apply. For many enterprises, the higher-risk scenario is a PA or VM firewall with Captive Portal enabled and reachable from untrusted networks.

Which PAN-OS Versions Are Affected?

Palo Alto Networks’ advisory lists affected versions by branch and fixed trains. In practical terms, treat systems as potentially vulnerable if they are on the following PAN-OS branches and below the fixed versions listed for that train:

  • PAN-OS 12.1: versions < 12.1.4-h5 and < 12.1.7
  • PAN-OS 11.2: versions < 11.2.4-h17, < 11.2.7-h13, < 11.2.10-h6, < 11.2.12
  • PAN-OS 11.1: versions < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15
  • PAN-OS 10.2: versions < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6

If you run multiple device populations across trains, confirm the exact fixed version that applies to each train, not just the major branch.

What Conditions Make This Vulnerability Exploitable?

Exploitation of CVE-2026-0300 depends on whether the Authentication Portal is enabled and reachable.

What configuration should you check first?

Palo Alto Networks specifically calls out this control path to validate exposure:

  • Device > User Identification > Authentication Portal Settings > Enable Authentication Portal

If that setting is enabled, then exposure becomes a network question: can untrusted users reach the portal service?

What is the highest-risk exposure pattern?

The risk is highest when the Authentication Portal is reachable from:

  • The public internet
  • Untrusted networks
  • Broad IP ranges that include contractor, guest, or unknown endpoints

The vendor states risk is reduced when access is restricted to trusted internal IPs, consistent with their recommended configuration.

Is CVE-2026-0300 Under Active Exploitation?

In the official advisory, the vendor has stated that limited exploitation has been observed. The targeting described is focused on exposed Authentication Portals that are reachable from untrusted IP space and/or the public internet.

At the time of writing, the advisory does not include public indicators of compromise (IOCs), exploit samples, or a detailed exploit chain beyond the high-level description.

How SOCRadar Helps Security Teams Respond

CVE-2026-0300 already has the kind of profile defenders watch closely: pre-auth access, firewall exposure, root-level RCE, and exploitation. SOCRadar’s Cyber Threat Intelligence module helps security teams track exploit maturity, proof-of-concept activity, attacker discussions, related IOCs, and emerging exploitation trends tied to critical CVEs.

SOCRadar’s Vulnerability Intelligence: Track the latest CVEs and exploit updates

SOCRadar’s Vulnerability Intelligence: Track the latest CVEs and exploit updates

Alongside this, the Attack Surface Management (ASM) module helps identify internet-facing assets, exposed services, and misconfigurations that could leave PAN-OS Captive Portal reachable from untrusted networks. Together, these modules help organizations prioritize the systems most likely to be targeted.

What Should Defenders Do Right Now?

This is a firewall RCE scenario. Prioritize steps that reduce exposure immediately, then move to detection and patching.

1) Identify internet and untrusted exposure of the Captive Portal

Start with a scoping question: do any PA/VM firewalls have the Authentication Portal enabled and reachable from untrusted networks?

  • Validate portal enablement in configuration.
  • Validate reachability from outside the trusted network boundary (including NAT and published services).

2) Restrict or disable the Authentication Portal

Palo Alto Networks recommends:

  • Restrict User-ID™ Authentication Portal access to trusted zones/internal IPs, or
  • Disable the Authentication Portal if it is not required

If you do not have a business requirement for Captive Portal, disabling it is the fastest way to reduce risk.

3) Apply Threat Prevention protections where available

On May 5, 2026, the vendor made a Threat Prevention signature available to customers running PAN-OS 11.1 and above. If you are on 11.1 or later, verify content updates and ensure Threat Prevention is enabled and up to date in the relevant security profiles and policy paths.

4) Plan upgrades to fixed releases as soon as they are available

The advisory includes ETAs for fixed releases (with dates depending on branch/train). Treat these as patch targets and prepare change windows now, especially for devices where Captive Portal is required for business operations.

5) Treat unexpected behavior on exposed portals as high signal

Because this is root-level RCE on a firewall, any signs of instability or unusual traffic to the Captive Portal should trigger escalation. Even without vendor-published IOCs, you can still prioritize:

  • Reviewing recent configuration changes
  • Looking for unusual administrative activity patterns
  • Watching for unexpected outbound connections from devices that normally should not initiate them