PAN-OS Captive Portal Zero-Day (CVE-2026-0300) Exploited for Unauthenticated RCE
Buffer overflow in PAN-OS User-ID Authentication Portal enables unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls; limited exploitation observed by state-sponsored actor CL-STA-1132.
Attack Brief
TargetPalo Alto Networks PAN-OS PA-Series and VM-Series firewallsVectorUnauthenticated buffer overflow in User-ID Authentication Portal (Captive Portal) service via specially crafted network packetsAttributionCL-STA-1132 (state-sponsored threat activity)
Technical Details
CVE IDsCVE-2026-0300MITRE ATT&CKT1090T1572IoCsEarthWormReverseSocks5AffectedPA-Series and VM-Series firewalls running PAN-OS with User-ID Authentication Portal exposed; Prisma Access, Cloud NGFW, and Panorama appliances unaffected
Impact
Affected OrganisationsLimited exploitation observed; specific victim organizations not namedConfirmed DamageUnauthenticated remote code execution with root privileges; shellcode injection into nginx worker processes; Active Directory enumeration; log destruction and evidence removal
Mitigation
PatchesPalo Alto Networks security advisory for CVE-2026-0300WorkaroundsRestrict User-ID Authentication Portal access to trusted zones only; disable Response Pages in Interface Management Profile on untrusted/internet-facing interfaces; disable User-ID Authentication Portal if not requiredDetectionThreat ID 510019 from Applications and Threats content version 9097-10022 blocks attacks (requires PAN-OS 11.1 or later); Palo Alto Networks Cortex Xpanse identifies exposed User-ID Authentication Portal instances
Context
Similar AttacksEarthWorm previously used by CL-STA-0046, Volt Typhoon, UAT-8337, and APT41; ReverseSocks5 is open-source tool used by both system administrators and threat actors for pivoting