May 6, 2026 CISA added CVE-2026-0300 to the catcolog KnownExploited Vulnerabilities. Deadline for addressing - three days,Until May 9. SSVC - Act: operation is active, attack is automated,technical impact - total. On the Internet You can see tens ofof PAN-OS instances, by thoughts, to ForesiteVM-Series with open Captive Portal. Buffer overflow in the User-IDAuthentication Portal gives an unauthenticated root-shout attacker onthe PA-Series and VM-Series firewalls with a single network package.One package and your firewall. Below is a complete analysis of thePalo Alto PAN-OS vulnerability in the terms pentester:CVSS-vector to exposure and operation detection
CVE-2026-0300 - buffer overflow type CWE-787(Out-of-Bits Write) the User-ID Service Authentication Portal(Captive Portal) PAN-OS. - Based on the NVD, the vulnerabilityAllow an uncertified attacker to execute code with arbitraryroot-privileges on the firewalls PA-Series and VM-Series,specially formed network packets.
CVSS 4.0 vector from CNA (Palo Alto)Networks):
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/AU:Y/R:U/V:C/RE:M/U:Red
Thefinal speed - 9.3 CRITICAL.
EPSS as of May 22,2026 - 0.0435, %%ile 0.8905. On AlienVault OTX on this CVE27 threat-intelligent pulses with tag actively_exploited_kev.
Thebranches of PAN-OS 10.2, 11.1, 11.2 and 12.1 on PA-Series andVM-Series are affected. Prisma Access, Cloud NGFW and Panoramanot affected. If your firewall in the OT is built on thisplatform - check with the Siemens advisory.
User-ID Authentication Portal (Captive Portal) is a PAN-OS servicethat intercepts HTTP/HTTPS from unamounted customers in aconfigured area and redirects them to the login page. Typicalscripts: onboarding guest Wi-Fi, BYOD devices authentication, networkaccess enforcement for unmanaged endpoints.
ArchitecturalNuance, which is here densome: the portal by designAccepts traffic from customers without prior auth state. This is nota configuration error – it is a functional requirement. GuestTablet the portal to the untrusted side of the firewall becauseis process to bespassed before the moment ofauthentication.
It is this design that makes the operationof the vulnerability of the interconnected open source achievablePre-auth. Memory-safety bug on a vulnerable PAN-OS branch is oneproblem. Memory-safety bug with Response Pages available from theInternet fleet --wide, internet-reachable, unauthenticated path toroot. Feel the difference.
Three conditions for operation:
"No" on any of the three - the chain of operation istorn. This is fundamental for prioritization: the difference betweenan emergency patch the fleet spread and a, linpointedanswer.
LIVEcommunity Palo Alto Networks more has aConversions among User-ID Authentication Portal (Captive Portal) andUser-ID in the settings of the zones (Network > Enable UserIdentification). These are different things. User-ID in the Indicationsof the zones (applying mapping information in political and logs)find out to do with this vulnerability.
The Architectural Challar to Incline: An Untrusted RequestObtained the portal → Parser processes the controlled attackingfield in the authentication request → The data isoutside the fixed size buffer → Disadvantage memory in theworker-process Captive Portal → control is transferred to theattacker code → execution with the privileges of theworker-process. And the worker is under the root. That'sall.
Palo Alto Networks and Unit 42 did not disclose aspecific query field, payload length and exploit structure.Exploitation - direct control-flow hijack or staged through heapspore still the scope of the public space. Inclusiveto available publications, after the primary compromiseCVE-2026-0300, the attackers open-source mining tools andEnumbered Active Directory. The Specific Attribution of the Campaignat the time of publication is not confirmed by independent sources.
On GitHub multimod repositories with the stated PoC:
None of them have an independent reconfirmation of efficiency. Stars- the cat cried, the code can be a weaponized. Do not run ininfrastructure and any in labe without inslationthe network. For the study, on anally-received EVE-NG standwith a PAN-OS image of a version vulnerability.
Root on the PAN-OS firewall is a position on the path of eachauthenticated session, each routing stream and each credential thatCrosses the perimeter. - "Con" to the Analysis of Kodem Security,Huscuit operation allows:
The Transgress for Remediation is Direct: for a Firewall Thatwork on a vulnerable configuration with an externally availableCaptive Portal between the Open and Plast, One PAN-OS updatenot extra. Configuration audit, credential rotation, validation ofadmin accounts and SSH keys are part of the response that is notoptional follow-up.
Operation CVE-2026-0300 is Initial Access without preconditions.One HTTP request for an open captive Portal is convertedroot-shoulder on edge-devices. The next scenario is based on TTP,documented for CL-STA-1132 and similar attacks on edgeDevices:
Firewall as arelay point for C2-traffic - ideal: NDR/NTA systemsdefault may not have a baseline for outgoing connections with thefirewall. Check if this is by the rules. It's a blindspot, and it must be closed clearly.
Based on the Vulnerability of the PAN-OS and TTPpost-options edge-devices:
Tunneling tools initiative outgoing bonds from the firewall;SOCKS5-patterns (0x05 0x01) can only beseen in unencrypted transport. At the NDR/NTA level, monitor:
For D3FEND-contractor meter on techniques T1090 (Procy) and T1572(Protocol Tunneling) are relevant: Protocol Metadata AnomalyDetection (D3-PMDAD), Per Host Download-Upload Ratio Analysis(D3-PHDURA), Client-server Payload Profiling (D3-CCPP), NetworkTraffic Signature (D3-NT).
For customers with Advanced Threat Prevention subscription:Activation the Recalcitrant Anti-Spyware/ATP Rule Palo AltoCVE-2026-0300 - specific Thread ID and the minimum version of theRenewable Release of the Provinment in the Present Content Reputof the vendor. Nuance: Decoder may require PAN-OS 11.1 or higher. Ifyour firewall on the 10.2-IP-IP rule may not be supported, you needan external WAF or access restriction.
For post-exportingTTP in SigmaHQ, the rules are available: Tag Tag T1090 (Proxy) - 33down rules, to the Tag T1572 (Protocol Tunneling) - 24 rules.For Linux-encircles PAN-OS most relevant net_connection_lnx_ngrok_tunnel.ymlandnet_connection_lnx_domain_localtonet_tunnel.yml- cover the general pattern of outgoing tunneling from theCompromised host.
If the firewall is operated by the decision tree above - do notwait for the service window:
If the patch forYour undervience not yet come out - interim isRequirement. - By the IBM X-Force, the average time between thePublication of CVE and the Regimen in the Organization is 29months. Three Days of CISA with So An Average - a Rquesterthat the attackers use comfortably.
Anatomy CVE-2026-0300: out-of-books in Captive Portal
CVE-2026-0300 - buffer overflow type CWE-787(Out-of-Bits Write) the User-ID Service Authentication Portal(Captive Portal) PAN-OS. - Based on the NVD, the vulnerabilityAllow an uncertified attacker to execute code with arbitraryroot-privileges on the firewalls PA-Series and VM-Series,specially formed network packets.
Analysis ofCVSS-vector
CVSS 4.0 vector from CNA (Palo Alto)Networks):
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/AU:Y/R:U/V:C/RE:M/U:Red
Thefinal speed - 9.3 CRITICAL.
EPSS as of May 22,2026 - 0.0435, %%ile 0.8905. On AlienVault OTX on this CVE27 threat-intelligent pulses with tag actively_exploited_kev.
Thebranches of PAN-OS 10.2, 11.1, 11.2 and 12.1 on PA-Series andVM-Series are affected. Prisma Access, Cloud NGFW and Panoramanot affected. If your firewall in the OT is built on thisplatform - check with the Siemens advisory.
Attack Surface: Why Captive Portal is Available BeforeAuthentication
User-ID Authentication Portal (Captive Portal) is a PAN-OS servicethat intercepts HTTP/HTTPS from unamounted customers in aconfigured area and redirects them to the login page. Typicalscripts: onboarding guest Wi-Fi, BYOD devices authentication, networkaccess enforcement for unmanaged endpoints.
ArchitecturalNuance, which is here densome: the portal by designAccepts traffic from customers without prior auth state. This is nota configuration error – it is a functional requirement. GuestTablet the portal to the untrusted side of the firewall becauseis process to bespassed before the moment ofauthentication.
It is this design that makes the operationof the vulnerability of the interconnected open source achievablePre-auth. Memory-safety bug on a vulnerable PAN-OS branch is oneproblem. Memory-safety bug with Response Pages available from theInternet fleet --wide, internet-reachable, unauthenticated path toroot. Feel the difference.
Three conditions for operation:
- PAN-OS version on a the affiliated branch (10.2, 11.1, 11.2, 12.1) below the fixed version
- User-ID Authentication Portal is included in the device configuration
- Response Pages available from an untrusted zone - Internet, partner, networks, guest segments
"No" on any of the three - the chain of operation istorn. This is fundamental for prioritization: the difference betweenan emergency patch the fleet spread and a, linpointedanswer.
LIVEcommunity Palo Alto Networks more has aConversions among User-ID Authentication Portal (Captive Portal) andUser-ID in the settings of the zones (Network > Enable UserIdentification). These are different things. User-ID in the Indicationsof the zones (applying mapping information in political and logs)find out to do with this vulnerability.
Chain of operation: from mastered-package to root-hail
The Architectural Challar to Incline: An Untrusted RequestObtained the portal → Parser processes the controlled attackingfield in the authentication request → The data isoutside the fixed size buffer → Disadvantage memory in theworker-process Captive Portal → control is transferred to theattacker code → execution with the privileges of theworker-process. And the worker is under the root. That'sall.
Palo Alto Networks and Unit 42 did not disclose aspecific query field, payload length and exploit structure.Exploitation - direct control-flow hijack or staged through heapspore still the scope of the public space. Inclusiveto available publications, after the primary compromiseCVE-2026-0300, the attackers open-source mining tools andEnumbered Active Directory. The Specific Attribution of the Campaignat the time of publication is not confirmed by independent sources.
About PublicPoC
On GitHub multimod repositories with the stated PoC:
- p3Nt3rs3r-sTar/CVE-2026-0000-POC - 15 stars, updated 23 May 2026
- qassam-315/PAN-US-US-US-Buffer-Overflow-PoC - 3 stars, described as "research-grade PoC for CWE-787"
- bannned-bit/CVE-2026-0300-PANOs - 1 star
None of them have an independent reconfirmation of efficiency. Stars- the cat cried, the code can be a weaponized. Do not run ininfrastructure and any in labe without inslationthe network. For the study, on anally-received EVE-NG standwith a PAN-OS image of a version vulnerability.
Whatis root on the firewall
Root on the PAN-OS firewall is a position on the path of eachauthenticated session, each routing stream and each credential thatCrosses the perimeter. - "Con" to the Analysis of Kodem Security,Huscuit operation allows:
- Intercept and modify traffic in flight, including TLS-ter-minated, where firewall is Inspection Point
- Collect credential from User-ID mappings, GlobalProtect, Cares, Captive Portal Logins
- Modify configuration: add admin , set SSH keys, inertials, disable Thread ID 510019
- Fix through configuration changes Who is a reboot and - with undetected modifications - Patley Keys
- Drink on the internal network through the trusting relationship of the firewall with directory services, SIEM-forwarders, syslog-destinations
The Transgress for Remediation is Direct: for a Firewall Thatwork on a vulnerable configuration with an externally availableCaptive Portal between the Open and Plast, One PAN-OS updatenot extra. Configuration audit, credential rotation, validation ofadmin accounts and SSH keys are part of the response that is notoptional follow-up.
The place CVE-2026-0300 in the perimeter attack
Operation CVE-2026-0300 is Initial Access without preconditions.One HTTP request for an open captive Portal is convertedroot-shoulder on edge-devices. The next scenario is based on TTP,documented for CL-STA-1132 and similar attacks on edgeDevices:
Firewall as arelay point for C2-traffic - ideal: NDR/NTA systemsdefault may not have a baseline for outgoing connections with thefirewall. Check if this is by the rules. It's a blindspot, and it must be closed clearly.
Fingerprinting: checking the exposure of your firewall
Adjustmentsto the environment
- External audit: Linux with curland nmap7.90+, Internet Access
- Internal audit: CLI access to PAN-OS (SSH) or web interface, minimum read-only admin
- Mass exploration: Shodan/Censys account; Cortex Xpanse for Palo Alto customers automates detection
Decision tree Prioritization
What will be light up in SIEM during operationCVE-2026-0300
Artifactson the device
Based on the Vulnerability of the PAN-OS and TTPpost-options edge-devices:
- Paradoxical IoC: No crash-artificates. If there be be be a crash core dumps and the fall of the developer process of the portal, but they are not - this is a cleaning signal. Emptiness here is more eloquent than any log
- Traces ptracePoint audit log (if the attackers have not time to relie up)
- Uncharacteristic SUID-binders in the file system
- New or Edimmin and Accounts SSH keys
- SAML-Flood in Authentication Logs - Mass SML-querium in a Short Period
NetworkIndicators
Tunneling tools initiative outgoing bonds from the firewall;SOCKS5-patterns (0x05 0x01) can only beseen in unencrypted transport. At the NDR/NTA level, monitor:
- Outgoing TCP connections from the Firewall to Investible IP on High Ports
- SOCKS5 handshake (bites) 0x05 0x01) - are detected only without encryption; both tools for more details often win the channel into TLS, so detect is built on anomaly-analytics: long-term outgoing sessions on uncharacteristic destinations
- DNS-requests from firewall to unspecified domains
For D3FEND-contractor meter on techniques T1090 (Procy) and T1572(Protocol Tunneling) are relevant: Protocol Metadata AnomalyDetection (D3-PMDAD), Per Host Download-Upload Ratio Analysis(D3-PHDURA), Client-server Payload Profiling (D3-CCPP), NetworkTraffic Signature (D3-NT).
IPS and SigmaRule
For customers with Advanced Threat Prevention subscription:Activation the Recalcitrant Anti-Spyware/ATP Rule Palo AltoCVE-2026-0300 - specific Thread ID and the minimum version of theRenewable Release of the Provinment in the Present Content Reputof the vendor. Nuance: Decoder may require PAN-OS 11.1 or higher. Ifyour firewall on the 10.2-IP-IP rule may not be supported, you needan external WAF or access restriction.
For post-exportingTTP in SigmaHQ, the rules are available: Tag Tag T1090 (Proxy) - 33down rules, to the Tag T1572 (Protocol Tunneling) - 24 rules.For Linux-encircles PAN-OS most relevant net_connection_lnx_ngrok_tunnel.ymlandnet_connection_lnx_domain_localtonet_tunnel.yml- cover the general pattern of outgoing tunneling from theCompromised host.
Mitigation and patching: a checklist for siasadmin transmissiona
What todo right now
If the firewall is operated by the decision tree above - do notwait for the service window:
- Limit access to User-ID Authentication Portal only with trusted internal IP (Sep 6 in the LIVEcommunity Palo Alto Networks)
- Disable Authentication Portal if not used: Device > User Identification > Authentication Portal Settings > Remove Checkbox Enable Authentication Portal
- Activate the ATP rule for CVE-2026-0300 if you have a supplemented Thrate Prevention (creator discrinity ID and content version - see release of the store store; PAN-OS 11.1+)
- Block external access to the portal interface via security policy
Palo Alto Networks Plate chart
If the patch forYour undervience not yet come out - interim isRequirement. - By the IBM X-Force, the average time between thePublication of CVE and the Regimen in the Organization is 29months. Three Days of CISA with So An Average - a Rquesterthat the attackers use comfortably.
Hardening-checklist
