Active Exploitation of PAN-OS Captive Portal Flaw Gives Attackers Root on Firewalls
Palo Alto Networks disclosed CVE-2026-0300, a critical buffer overflow in the PAN-OS User-ID Authentication Portal (also called the Captive Portal) that is being exploited in the wild to achieve unauthenticated remote code execution with root privileges. The flaw is an out-of-bounds write triggered by specially crafted packets and affects exposed PA-Series and VM-Series firewalls running multiple PAN-OS 10.2, 11.1, 11.2, and 12.1 versions. Palo Alto assigned the issue a CVSS 9.3 when the portal is reachable from the public internet or other untrusted networks, and 8.7 when access is limited to trusted internal IP addresses.
The company said observed attacks have focused on Authentication Portal instances exposed to untrusted IP addresses, while Prisma Access, Cloud NGFW, and Panorama are not affected. At disclosure, fixes were not yet broadly available, with patch releases scheduled to begin in mid-May and continue through late May 2026. Palo Alto urged customers to immediately restrict portal access to trusted zones or internal IPs, or disable the Authentication Portal if it is not required, and said a Threat Prevention Signature for PAN-OS 11.1 and later was released as an added mitigation layer.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
CISA sets May 9 remediation deadline for CVE-2026-0300
After adding CVE-2026-0300 to the KEV catalog, CISA required Federal Civilian Executive Branch agencies to remediate the actively exploited Palo Alto PAN-OS flaw by May 9, 2026, under Binding Operational Directive 22-01. The agency urged immediate mitigations because vendor patches were still pending.
CISA adds CVE-2026-0300 to Known Exploited Vulnerabilities catalog
CISA added Palo Alto Networks PAN-OS CVE-2026-0300 to its Known Exploited Vulnerabilities Catalog, formally recognizing the flaw as exploited in the wild. The agency directed organizations to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations were unavailable.
Palo Alto announces patch rollout schedule for affected PAN-OS versions
Alongside the disclosure, Palo Alto said fixes for affected PAN-OS 10.2, 11.1, 11.2, and 12.1 versions would begin rolling out between May 13 and May 28, 2026. Until patches are available, customers were advised to restrict portal access to trusted internal IPs or disable the Authentication Portal if unused.
Palo Alto discloses CVE-2026-0300 under active exploitation
Palo Alto Networks disclosed CVE-2026-0300, a critical unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal that can lead to remote code execution with root privileges. The company said the flaw is being exploited in the wild, particularly against internet-exposed or otherwise untrusted portal deployments.
Palo Alto releases Threat Prevention Signature for CVE-2026-0300
Palo Alto Networks released a Threat Prevention Signature for PAN-OS 11.1 and later as a mitigation for CVE-2026-0300. The signature was made available ahead of full software patches to help reduce exploitation risk.
Palo Alto links CVE-2026-0300 exploitation to CL-STA-1132 activity
Palo Alto Networks said suspected state-sponsored cluster CL-STA-1132 began attempting to exploit CVE-2026-0300 on April 9, 2026, and achieved successful remote code execution about a week later by injecting shellcode into an nginx worker process. The company also described post-exploitation behavior including log deletion, Active Directory enumeration, and deployment of EarthWorm and ReverseSocks5 on a second device by April 29.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
28 references tracked. Mallory keeps watching after this page renders.
CL-STA-1132 Weaponizes PAN-OS RCE for Silent Root-Level Takeovers - SecPod Blog
secpod.com
Open sourceWarning: Critical Remote Code Execution vulnerability in Palo Alto PAN-OS User-ID Authentication Portal, Apply patches as soon as available! | CCB Belgium
ccb.belgium.be
Open sourceNation-state actors exploit Palo Alto PAN-OS zero-day for weeks
securityaffairs.com
Open sourcePalo Alto Networks says patch for exploited PAN-OS firewall bug forthcoming | news | SC Media
scworld.com
Open sourceCVE-2026-0300 - PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal
cvefeed.io
Open sourcePalo Alto Firewalls Being Exploited; No Patch Yet Available
bankinfosecurity.com
Open sourceAdd Updated KEV Files for 2026-05-06 · cisagov/kev-data@7075827 · GitHub
github.com
Open sourceCISA Adds One Known Exploited Vulnerability to Catalog | CISA
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical PAN-OS Captive Portal Flaw Let Attackers Gain Root on Firewalls
Palo Alto Networks disclosed **CVE-2026-0300**, a critical `CWE-787` out-of-bounds write in the PAN-OS User-ID Authentication Portal, also known as the Captive Portal, that allows an unauthenticated attacker to achieve remote code execution as **root** on affected **PA-Series** and **VM-Series** firewalls. The flaw was reported as actively exploited in the wild and added to CISA's **Known Exploited Vulnerabilities** catalog, with exploitation observed against portals reachable from untrusted networks or the public internet. Palo Alto said **Prisma Access**, **Cloud NGFW**, and **Panorama** are not affected, while vulnerable PAN-OS branches included 10.2, 11.1, 11.2, and 12.1 below fixed releases. Reporting on observed intrusions said attackers used the firewall access for shellcode injection into `nginx` worker processes, credential extraction, Active Directory enumeration, outbound tunneling with tools such as **EarthWorm** and **ReverseSocks5**, internal pivoting, and anti-forensic log cleanup. Palo Alto began releasing patches in staged waves and urged defenders to disable the Captive Portal if unused or restrict it to trusted IPs and zones, enable available threat-prevention signatures, and treat previously exposed devices as potentially fully compromised by auditing configurations, checking admin accounts and SSH keys, rotating credentials, and monitoring for persistence or suspicious outbound connections.
May 25, 2026
Palo Alto PAN-OS Authentication Bypass Exposes CAS-Enabled Firewalls and Panorama
Palo Alto Networks released security advisories for multiple **PAN-OS** branches after disclosing several serious flaws, including `CVE-2026-0265`, an authentication bypass caused by a signature verification weakness when **Cloud Authentication Service (CAS)** is enabled and attached to a login interface. The issue affects **PA-Series**, **VM-Series**, and **Panorama** deployments, while **Cloud NGFW** and **Prisma Access** are not affected. Palo Alto also warned of a heap-based buffer overflow in the DNS Proxy and DNS Server that could enable unauthenticated remote code execution, as well as a separate remote code execution flaw in **IKEv2** processing across supported releases including 12.1, 11.2, 11.1, and 10.2. The Canadian Centre for Cyber Security urged administrators to review Palo Alto’s advisories, apply mitigations, and install updates, with fixes already issued for many affected versions and additional patches expected for some branches. Rapid7 said organizations using CAS should prioritize emergency patching rather than depend on workarounds, while researcher Harsh Jaiswal of HacktronAI publicly claimed successful exploitation of the authentication bypass against multiple companies’ **GlobalProtect** portals to obtain VPN access; Palo Alto had not confirmed in-the-wild exploitation as of May 14.
May 25, 2026
Critical Cisco Secure Email Gateway and PAN-OS Flaws Expose Perimeter Devices
Cisco disclosed a **critical vulnerability** in Secure Email Gateway appliances running affected `AsyncOS` versions when inbound mail rules use **File Analysis** (`Cisco AMP`) or **Content Filter** features and the bundled **Content Scanner Tools** are older than `23.3.0.4823`. Successful exploitation can let an attacker overwrite files at the operating-system level, enabling **root-level account creation**, configuration changes, arbitrary code execution, and denial of service. Cisco released software updates and said no alternative mitigations are available. Palo Alto Networks also issued fixes for a **serious PAN-OS management interface flaw** that allows an unauthenticated attacker to execute certain PHP scripts and affect the **integrity and confidentiality** of the firewall, though the vendor said it does not permit arbitrary remote code execution. Exploitation attempts have already been observed and proof-of-concept code is public, increasing urgency for exposed management interfaces. Palo Alto said **Cloud NGFW** and **Prisma Access** are not affected, while `PAN-OS 11.0` is out of support and will not receive a patch.
Apr 27, 2026