AnatomyCVE-2026-0300: out-of-bounds in User-ID Authentication Portal
CVE-2026-0300 - buffer overflow type CWE-787(Out-of-bounds Write) the User-ID Service Authentication Portal(Captive Portal) of the PAN-OS operating system. According to theNVD, the vulnerability allows an unauthentic attacker to performarbitrary code with root-priviles on the firewalls of PA-Series andVM-Series - it is enough to send specially formed networkpackets.
CVSS 4.0 vector from CNA (Palo Alto Networks):CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/AU:Y/R:U/V:C/RE:M/U:Red- final speed 9.3 CRITICAL. NVD additionally gives CVSS 3.1vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Analysisof key components of the vector:
Theoperation chain is short and evil: an untrusted request reaches theportal, parser records controlled by attackers bytes beyond the fixedbuffer, control is transferred to the code of the attacker, theexecution continues with the privileges of the Captive Portal workerprocess - and this is root. According to public reports [requiressource verification], the vulnerable code processes a controlledattacking field in an incoming authentication request and writesbeyond the boundaries of the fixed size buffer, damaging the relatedmemory in the worker process.
Palo Alto Networks and Unit42 did not disclose a specific query field, payload length andexploit structure. Exploitation - direct hijack control flow orstaged through heap corruption - also outside the scope of publicspace. On GitHub appeared research-grade PoC (includingqassam-315/PAN-OS-User-ID-Buffer-Overflow-PoC), but with 1-4 starsand without independent confirmation of performance. Treat them aspotentially weaponized - do not run in productive infrared.Seriously.
Prisma Access, Cloud NGFW and Panorama are notaffected. A separate point for OT infrastructures: third-partydevices on PAN-OS is potentially also at risk, but at the time ofpublication of NVD affected products only paloaltonetworks
An-os.For specific OT platforms, check with the relevant advisorymanufacturers.
Attack Surface: Why Captive Portal is Available WithoutAuthentication
User-ID Authentication Portal (Captive Portal) is a PAN-OS servicethat intercepts uncertified HTTP/HTTPS sessions in a configured zoneand redirects users to the login page. Typical scripts: guest Wi-Fionboarding, BYOD-autonyp, network access enforcement for unmanagedpoints ends.
And here's the most unpleasant thing. Portalby design receives traffic from customers without priorauthentication status. It's not a bug configuration, it's anarchitectural solution. Typical deployment patterns push the portalto the untrusted side of the firewall, because it is obliged toreceive traffic from customers without prior-uth state. It is thisdesign that makes the CVE-2026-0300 achievable pre-auth. Reachabilityturns the memory-safety bug into fleet-wide, internet-reachable,unauthenticated path to root.
According to publicrecommendations [requires source verification], three checksdetermine the operation of a particular device:
User-ID Authentication Portal is included in the device configuration
The portal is tied to the interface in the zone receiving traffic from the untrusted network
Response Pages available from an untrusted zone - Internet, partner networks, guest segments
"No" on any of the three points breaks the chain. TheVulnerable version with the portal is not operated. The portal,available only from the inner zone - is not operated remotely. But afirewall with an included portal looking on the Internet on avulnerable version is one HTTP request to root.
Patchesand affected versions
Palo Alto Networks releases fixes for PA-Series and VM-Series[according to the corresponding PAN-ICE-Get - check with the currentdocument for accurate dates and affected branches of PAN-OS]. If thepatch for your branch has not yet come out - interim mitigation ismandatory. Waiting for a patch without workaround is unacceptable.
Fingerprinting:exposure check
Adjustmentsto the environment
For external audit: Linux with curl andnmap 7.90+, Internet access. For internal: CLI-access access toPAN-OS (SSH) or web interface.
External check: CaptivePortal PAN-OS meets the characteristic redirect patterns. curl-skv https://<target> 2>&1 | grep -i 'palo\|panw'- with default self-signed certificates, the presence of acharacteristic TLS certificate or header confirms the availability ofthe device. On production devices with custom certificates, thecommand will give false negatives - rely on the HTTP responses ofAuthentication Portal (redirect-patterns, login forms) and Shodan /Censys fingerprints. The specific URL endpoint Captive Portal dependson the PAN-OS version - check with the Palo Alto Networksdocumentation. For mass exploration: Shodan-request forcharacteristic HTTP responses of Authentication Portal or Censyssearch for TLS certificates. Cortex Xpanse automates detection forPalo Alto customers.
Internal check through CLI PAN-OS:
The first command is the PAN-OS version (we check with branches 10.2,11.1, 11.2, 12.1). The second is the status of the User-IDconfiguration. If the portal is included and tied to the interface inthe zone with untrusted traffic - the device is in the critical riskzone. In the web interface: Device > User Identification >Authentication Portal Settings.
What will light up in SIEM during operation CVE-2026-0300
Artifactson the device
Based on typical TTPs post-opposition of edge-devices andcharacteristics of CVE-2026-0300:
Lack of crash-artefacts in the expected directories. Paradoxical IoC: if the crash core dumps and crash the entriding worker process of the portal should be, but they are not - this is a cleaning signal. The emptiness here is more eloquent than any log.
Trace injection tracks in audit log (if the attackers did not have time to clean up)
Uncharacteristic SUID-binders in the file system
New or modified admin accounts and SSH keys
SAML-Flood in Authentication Logs - Massive SAML query for a short period before switching HA-couple
No expected crash-artifacts worker-process Authentication Portal
NetworkIndicators
EarthWorm and ReverseSocks5 create outgoing SOCKS5-connectionsfrom the firewall. At the level of NDR/NTA monitor: outgoingTCP-connections from the firewall to unknown external IP at highports, SOCKS5 handshake patterns (bytes) 0x050x01 - are found only in unencrypted transport; bothinstruments often wind up the channel into TLS, so the detect isbuilt on anomaly analytics: long outgoing sessions, uncharacteristicdestinations) in traffic from the management interface, DNS-requestsfrom the firewall to previously unspecified domains.
IPS-rule andSigma
For customers with Advanced Threat Prevention: Threat ID from thecorresponding content release Palo Alto Networks (see the currentPAN-idold for the exact number and version of the content) blocksattempts to operate CVE-2026-0300 at the network level. Limitation:According to available data, the decoder can only work on certainPAN-OS branches - check with the advisory.
Forpost-examination TTPs in SigmaHQ, 33 rules are available under theTag T1090 (Proxy) and 24 rules for T1572 (Protocol Tunneling). ForLinux-enirts PAN-OS relevant net_connection_lnx_ngrok_tunnel.ymland net_connection_lnx_domain_localtonet_tunnel.yml- cover the common outgoing tunnel pattern. EarthWorm with its customprotocol on top of SOCKS5 will require a separate rule - there is noready-made in SigmaHQ.
Mitigate: decision tree and prioritization
Code:
Updating PAN-OS is not enough if the device worked with avulnerable and Internet-available portal in the period between thedisclosure and the patch. According to public recommendations[requires source verification], configuration changes of the attacker- admin-accounts, SSH keys weakened by policy rules - areexperiencing a firmware update. With inattention remediation, theywill survive the next patch cycle. Configuration audit, credentialsrotation, and integrity validation are not optional follow-up, butpart of the response.
For context: according to IBMX-Force Thread Intelligence Index 2025, the average time between CVEposting and systemaise in organizations is 29 months. For theCVE-2026-0300 CISA gave three days. The rupture is two orders.
Unit42 for five years fixes a steady trend: state-sponsored groups areincreasingly aiming for edge devices - firewalls, routers, VPNgateways, hypervisors. These assets give highly privileged access,while they are rarely put EDR-agents, and full logging is rather anexception. The described scenario of post-exploitation is not ananomaly, but a typical pattern. Mandiant M-Trends 2025 confirms:exploits - the main vector of initial access (38% of cases in2024).
Bet APT-groups on open-source tools instead ofproprietary malware - an informed choice. EarthWorm and ReverseSocks5minimize signature detection and create an attribution-dilem: thesame utilities are legitimately used by syadmins. If your SOC isbuilding detection on IOC feeds and hashes of the famous malware -there will be nothing to catch on. Behavioral detection and baselinedeconvention for network equipment are the only working approach. Butin practice, few people monitor the behavioral profile of thefirewall with the same attention as the work stationprofile.
CVE-2026-0300 stands out not technicallyprimitive - buffer overflow has happened before. There is a context:a component that by design is obliged to take untrusted traffic atAU:Y (automatable) and zero requirements for privileges. Recipe formass exploitation, and CISA SSVC solution Act marked automatable:yesconfirms this. Forecast for the coming months: copycat attacks fromless disciplined groups. It will be rougher, leave more artifacts,but the damage from this will not be less. Who has not yet built abaseline behavior for their edge-devices will learn from their ownincidents. I
CVE-2026-0300 - buffer overflow type CWE-787(Out-of-bounds Write) the User-ID Service Authentication Portal(Captive Portal) of the PAN-OS operating system. According to theNVD, the vulnerability allows an unauthentic attacker to performarbitrary code with root-priviles on the firewalls of PA-Series andVM-Series - it is enough to send specially formed networkpackets.
CVSS 4.0 vector from CNA (Palo Alto Networks):CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/AU:Y/R:U/V:C/RE:M/U:Red- final speed 9.3 CRITICAL. NVD additionally gives CVSS 3.1vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Analysisof key components of the vector:
Theoperation chain is short and evil: an untrusted request reaches theportal, parser records controlled by attackers bytes beyond the fixedbuffer, control is transferred to the code of the attacker, theexecution continues with the privileges of the Captive Portal workerprocess - and this is root. According to public reports [requiressource verification], the vulnerable code processes a controlledattacking field in an incoming authentication request and writesbeyond the boundaries of the fixed size buffer, damaging the relatedmemory in the worker process.
Palo Alto Networks and Unit42 did not disclose a specific query field, payload length andexploit structure. Exploitation - direct hijack control flow orstaged through heap corruption - also outside the scope of publicspace. On GitHub appeared research-grade PoC (includingqassam-315/PAN-OS-User-ID-Buffer-Overflow-PoC), but with 1-4 starsand without independent confirmation of performance. Treat them aspotentially weaponized - do not run in productive infrared.Seriously.
Prisma Access, Cloud NGFW and Panorama are notaffected. A separate point for OT infrastructures: third-partydevices on PAN-OS is potentially also at risk, but at the time ofpublication of NVD affected products only paloaltonetworks
An-os.For specific OT platforms, check with the relevant advisorymanufacturers.Attack Surface: Why Captive Portal is Available WithoutAuthentication
User-ID Authentication Portal (Captive Portal) is a PAN-OS servicethat intercepts uncertified HTTP/HTTPS sessions in a configured zoneand redirects users to the login page. Typical scripts: guest Wi-Fionboarding, BYOD-autonyp, network access enforcement for unmanagedpoints ends.
And here's the most unpleasant thing. Portalby design receives traffic from customers without priorauthentication status. It's not a bug configuration, it's anarchitectural solution. Typical deployment patterns push the portalto the untrusted side of the firewall, because it is obliged toreceive traffic from customers without prior-uth state. It is thisdesign that makes the CVE-2026-0300 achievable pre-auth. Reachabilityturns the memory-safety bug into fleet-wide, internet-reachable,unauthenticated path to root.
According to publicrecommendations [requires source verification], three checksdetermine the operation of a particular device:
User-ID Authentication Portal is included in the device configuration
The portal is tied to the interface in the zone receiving traffic from the untrusted network
Response Pages available from an untrusted zone - Internet, partner networks, guest segments
"No" on any of the three points breaks the chain. TheVulnerable version with the portal is not operated. The portal,available only from the inner zone - is not operated remotely. But afirewall with an included portal looking on the Internet on avulnerable version is one HTTP request to root.
Patchesand affected versions
Palo Alto Networks releases fixes for PA-Series and VM-Series[according to the corresponding PAN-ICE-Get - check with the currentdocument for accurate dates and affected branches of PAN-OS]. If thepatch for your branch has not yet come out - interim mitigation ismandatory. Waiting for a patch without workaround is unacceptable.
Fingerprinting:exposure check
Adjustmentsto the environment
For external audit: Linux with curl andnmap 7.90+, Internet access. For internal: CLI-access access toPAN-OS (SSH) or web interface.
External check: CaptivePortal PAN-OS meets the characteristic redirect patterns. curl-skv https://<target> 2>&1 | grep -i 'palo\|panw'- with default self-signed certificates, the presence of acharacteristic TLS certificate or header confirms the availability ofthe device. On production devices with custom certificates, thecommand will give false negatives - rely on the HTTP responses ofAuthentication Portal (redirect-patterns, login forms) and Shodan /Censys fingerprints. The specific URL endpoint Captive Portal dependson the PAN-OS version - check with the Palo Alto Networksdocumentation. For mass exploration: Shodan-request forcharacteristic HTTP responses of Authentication Portal or Censyssearch for TLS certificates. Cortex Xpanse automates detection forPalo Alto customers.
Internal check through CLI PAN-OS:
The first command is the PAN-OS version (we check with branches 10.2,11.1, 11.2, 12.1). The second is the status of the User-IDconfiguration. If the portal is included and tied to the interface inthe zone with untrusted traffic - the device is in the critical riskzone. In the web interface: Device > User Identification >Authentication Portal Settings.
What will light up in SIEM during operation CVE-2026-0300
Artifactson the device
Based on typical TTPs post-opposition of edge-devices andcharacteristics of CVE-2026-0300:
Lack of crash-artefacts in the expected directories. Paradoxical IoC: if the crash core dumps and crash the entriding worker process of the portal should be, but they are not - this is a cleaning signal. The emptiness here is more eloquent than any log.
Trace injection tracks in audit log (if the attackers did not have time to clean up)
Uncharacteristic SUID-binders in the file system
New or modified admin accounts and SSH keys
SAML-Flood in Authentication Logs - Massive SAML query for a short period before switching HA-couple
No expected crash-artifacts worker-process Authentication Portal
NetworkIndicators
EarthWorm and ReverseSocks5 create outgoing SOCKS5-connectionsfrom the firewall. At the level of NDR/NTA monitor: outgoingTCP-connections from the firewall to unknown external IP at highports, SOCKS5 handshake patterns (bytes) 0x050x01 - are found only in unencrypted transport; bothinstruments often wind up the channel into TLS, so the detect isbuilt on anomaly analytics: long outgoing sessions, uncharacteristicdestinations) in traffic from the management interface, DNS-requestsfrom the firewall to previously unspecified domains.
IPS-rule andSigma
For customers with Advanced Threat Prevention: Threat ID from thecorresponding content release Palo Alto Networks (see the currentPAN-idold for the exact number and version of the content) blocksattempts to operate CVE-2026-0300 at the network level. Limitation:According to available data, the decoder can only work on certainPAN-OS branches - check with the advisory.
Forpost-examination TTPs in SigmaHQ, 33 rules are available under theTag T1090 (Proxy) and 24 rules for T1572 (Protocol Tunneling). ForLinux-enirts PAN-OS relevant net_connection_lnx_ngrok_tunnel.ymland net_connection_lnx_domain_localtonet_tunnel.yml- cover the common outgoing tunnel pattern. EarthWorm with its customprotocol on top of SOCKS5 will require a separate rule - there is noready-made in SigmaHQ.
Mitigate: decision tree and prioritization
Code:
Updating PAN-OS is not enough if the device worked with avulnerable and Internet-available portal in the period between thedisclosure and the patch. According to public recommendations[requires source verification], configuration changes of the attacker- admin-accounts, SSH keys weakened by policy rules - areexperiencing a firmware update. With inattention remediation, theywill survive the next patch cycle. Configuration audit, credentialsrotation, and integrity validation are not optional follow-up, butpart of the response.
For context: according to IBMX-Force Thread Intelligence Index 2025, the average time between CVEposting and systemaise in organizations is 29 months. For theCVE-2026-0300 CISA gave three days. The rupture is two orders.
Unit42 for five years fixes a steady trend: state-sponsored groups areincreasingly aiming for edge devices - firewalls, routers, VPNgateways, hypervisors. These assets give highly privileged access,while they are rarely put EDR-agents, and full logging is rather anexception. The described scenario of post-exploitation is not ananomaly, but a typical pattern. Mandiant M-Trends 2025 confirms:exploits - the main vector of initial access (38% of cases in2024).
Bet APT-groups on open-source tools instead ofproprietary malware - an informed choice. EarthWorm and ReverseSocks5minimize signature detection and create an attribution-dilem: thesame utilities are legitimately used by syadmins. If your SOC isbuilding detection on IOC feeds and hashes of the famous malware -there will be nothing to catch on. Behavioral detection and baselinedeconvention for network equipment are the only working approach. Butin practice, few people monitor the behavioral profile of thefirewall with the same attention as the work stationprofile.
CVE-2026-0300 stands out not technicallyprimitive - buffer overflow has happened before. There is a context:a component that by design is obliged to take untrusted traffic atAU:Y (automatable) and zero requirements for privileges. Recipe formass exploitation, and CISA SSVC solution Act marked automatable:yesconfirms this. Forecast for the coming months: copycat attacks fromless disciplined groups. It will be rougher, leave more artifacts,but the damage from this will not be less. Who has not yet built abaseline behavior for their edge-devices will learn from their ownincidents. I
