CVE-2026-0300: PAN-OS Captive Portal Zero-Day Breakdown and Response Runbook

CVE-2026-0300, disclosed by Palo Alto Networks on May 5, 2026 and updated on May 7, 2026, is a critical severity (CVSS 9.3) PAN-OS zero-day in the User-ID Authentication Portal (Captive Portal) that lets unauthenticated attackers execute code as root on PA-Series and VM-Series firewalls. 

The Captive Portal flaw is a CWE-787 out-of-bounds write in the User-ID Authentication Portal request handling path. Palo Alto and Unit 42 have not published the exact request field, payload length or exploit structure as of this draft, so defenders should not rely on request-level signatures alone. Palo Alto confirmed exploitation in the wild at disclosure, with fixed versions shipping on a staggered May 13th and May 28th schedule. 

Until fixed versions are available for the affected PAN-OS branch, customers should restrict User-ID Authentication Portal access to trusted internal zones only or disable the Captive Portal where not required. For supported deployments, enable Threat ID 510019 as an additional detection and blocking control.

What Happened: Palo Alto Discloses CVE-2026-0300 in PAN-OS Captive Portal

CVE-2026-0300 is a critical severity (CVSS 9.3) buffer overflow in the PAN-OS User-ID Authentication Portal (Captive Portal) that allows unauthenticated remote code execution as root on PA-Series and VM-Series firewalls. Palo Alto Networks confirmed active in-the-wild exploitation before the full patch slate was available.

Disclosure Timing

Palo Alto reported limited exploitation at the time of disclosure, with full public proof-of-concept details not yet released and patch coverage staggered across the four affected branches PAN-OS 10.2, 11.1, 11.2, 12.1.

How CVE-2026-0300 Executes: From Crafted Packet to Root

Exploitation of CVE-2026-0300 requires a single specially crafted network request to the User-ID Authentication Portal, with no authentication and no user interaction (CVSS vector AV:N/AC:L/PR:N/UI:N). A successful trigger corrupts memory inside the Captive Portal request handler and yields arbitrary code execution at root on the firewall.

The Vulnerable Surface

The User-ID Authentication Portal (Captive Portal) is the PAN-OS service that intercepts unauthenticated HTTP and HTTPS sessions in a configured zone and redirects users to a login page before granting network access. Common deployment patterns (guest Wi-Fi onboarding, BYOD authentication, network access enforcement for unmanaged endpoints) push the portal toward the untrusted side of the firewall by design, because the portal must accept traffic from clients that have no prior authentication state.

That design intent is what makes CVE-2026-0300 reachable pre-authentication. Reachability is the conversion factor: a vulnerable PAN-OS branch alone is a memory-safety bug, but a vulnerable branch with Response Pages reachable from untrusted networks is a fleet-wide, internet-reachable, unauthenticated path to root. Every PA-Series and VM-Series firewall on an affected branch with a public-facing portal is one HTTP request away from compromise, regardless of how well downstream zones, the management plane, or the admin console are segmented.

The Buffer Overflow Mechanics

CVE-2026-0300 is a CWE-787 out-of-bounds write in the authentication request handling path of the User-ID Authentication Portal. The vulnerable code parses an attacker-controlled field on the inbound request and writes past the end of a fixed-size buffer, corrupting adjacent memory in the Captive Portal worker process.

Public proof-of-concept mechanics (the specific field, length, and payload structure that trigger the overflow) are not fully published as of May 2026. Palo Alto Networks and Unit 42 have confirmed the vulnerability class (CWE-787) and the privilege outcome (root). The exploitation primitives (whether the overflow drives a direct control-flow hijack or stages through heap corruption to reach code execution) remain a gap in the public record. Defenders should treat any reverse-engineered PoC posted to public repositories before the patch wave completes as weaponized and as a forcing function on the response timeline.

The architectural chain is short: an untrusted request reaches the portal, the parser writes attacker bytes outside the intended buffer, control transfers to attacker-supplied code, and execution continues under the privilege of the Captive Portal worker, which is root.

Privilege and Persistence Implications

Root on a PAN-OS firewall sits in the path of every authenticated session, every routed flow, and every credential that crosses the perimeter. In operational terms, successful exploitation of CVE-2026-0300 enables an attacker to:

1. Intercept and modify traffic in flight, including TLS-terminated sessions where the firewall is the inspection point, plaintext authentication flows, and management protocol traffic crossing the device.
2. Harvest credentials from User-ID mappings, GlobalProtect sessions, Captive Portal logins, and any cached authentication state held on the device.
3. Modify firewall configuration to add administrator accounts, install SSH keys, weaken policy rules, disable threat detections (including Threat ID 510019), or open inbound paths into the interior network.
4. Establish a persistent foothold through configuration-level changes that survive reboots and, when post-exploitation modifications are not detected during remediation, survive patch cycles.
5. Pivot laterally uses the firewall's existing trust relationships with directory services, SIEM forwarders, syslog destinations, and management planes, none of which treat the firewall as a plausible source of malicious traffic.

The remediation consequence is direct: any PA-Series or VM-Series firewall that ran a vulnerable, externally reachable Captive Portal at any point between disclosure and patch cannot be cleared by upgrading PAN-OS alone. Configuration audit against a known-good baseline, rotation of every credential the device brokered, and integrity validation of administrator accounts and SSH keys are part of the response, not optional follow-ups.

Affected Versions and Exposure Conditions

CVE-2026-0300 affects PAN-OS 10.2, 11.1, 11.2, and 12.1 on PA-Series and VM-Series firewalls. Palo Alto also states that Prisma Access, Cloud NGFW and Panorama appliances are not impacted. Exposure requires both conditions: the User-ID Authentication Portal must be enabled, and Response Pages must be reachable from untrusted or internet-accessible interfaces.

Palo Alto Networks is shipping fixed PAN-OS versions in two staggered waves: May 13, 2026 and May 28, 2026. The matrix below maps every affected branch to its fixed version and patch ETA so a firewall fleet can be sequenced through patching against literal version strings.

Exposure is two-part. A vulnerable version alone does not equal exploitable. The User-ID Authentication Portal (Captive Portal) must be enabled AND Response Pages must be reachable from untrusted networks. Many firewall fleets have one condition without the other. An affected PAN-OS branch with the Captive Portal disabled is not exploitable through CVE-2026-0300, and a fleet running the Captive Portal on a fully internal-only zone with no untrusted reachability is not remotely exploitable. This nuance matters for triage prioritization, because it is the difference between an emergency patch sweep and a sequenced, evidence-driven response.

Three checks per device determine exploitability:

1. Is the running PAN-OS version on an affected branch PAN-OS 10.2, 11.1, 11.2, or 12.1 and below the fixed version for that branch?
2. Is the User-ID Authentication Portal enabled in the device configuration?
3. Are Response Pages reachable from any untrusted source zone the firewall touches, including the public internet, partner networks, or guest segments?

A firewall is exploitable through CVE-2026-0300 only when all three answers are yes. A "no" on any one of the three breaks the exploitation chain for this CVE, though the firewall still requires patching on the published Palo Alto schedule because configuration drift can flip a "no" to a "yes" at any time.

Immediate Response: The First-Hour Runbook

Triage CVE-2026-0300 in this order: confirm exposure, restrict access to the User-ID Authentication Portal, enable available threat detections, then patch when fixed versions ship for the affected PAN-OS branch. Do not assume unaffected status without verifying both configuration and network reachability.

1. Inventory PAN-OS deployments: Identify all PA-Series and VM-Series firewalls running affected PAN-OS 10.2, 11.1, 11.2, or 12.1 versions.
2. Confirm User-ID Authentication Portal status: Check whether the User-ID Authentication Portal is enabled on each affected firewall.
3. Check Response Pages exposure: Review Interface Management Profiles and confirm whether Response Pages are enabled on external or internet-accessible interfaces.
4. Restrict Captive Portal reachability: Limit User-ID Authentication Portal access to trusted internal IP addresses. Disable Response Pages on interfaces in zones where untrusted or internet traffic can ingress.
5. Disable User-ID Authentication Portal where not required:Remove the vulnerable service from the exposed attack surface when Captive Portal is not actively needed.
6. Enable Threat ID 510019 where supported:Palo Alto states that Threat ID 510019 requires Threat Prevention or Advanced Threat Prevention coverage, Applications and Threats content version 9097-10022, and PAN-OS 11.1 or later.
7. Apply fixed PAN-OS versions as they ship: Patch according to the fixed-version matrix for the device’s branch and train.
8. Review logs for 30 days before disclosure: Hunt for Captive Portal request anomalies, Threat ID 510019 detections, nginx crashes, new administrator accounts, SSH key changes, configuration drift, and firewall-originated outbound traffic.
9. Validate firewall integrity: Review administrator accounts, SSH keys, authentication profiles, User-ID changes, Captive Portal settings, and management interface configuration against a known-good baseline.
10. Hold non-security configuration changes: Pause planned firewall changes that are not security-critical until affected devices are patched and validated clean.

Indicators of Compromise (IOCs) and Behavioral Signals

As of May 7, 2026, defenders should hunt for exposed PAN-OS User-ID Authentication Portal services, Threat ID 510019 coverage gaps, anomalous nginx worker activity, post-exploitation tunneling tools, and firewall-originated outbound connections. Unit 42 has published concrete IOCs for CVE-2026-0300, including IP addresses, tool paths, an EarthWorm hash, download locations, and an attacker user agent string.

Configuration Indicators

Network Indicators

Published Unit 42 IOCs

Process and Integrity Indicators

Post-Exploitation Indicators

Outbound Indicators

Log Review Targets

Why CVE Inventory Caught This but Exposure Mapping Mattered More

A traditional vulnerability inventory tool can answer the version question: does this firewall run an affected PAN-OS branch? CVE-2026-0300 risk depends on two additional exposure questions: was the User-ID Authentication Portal enabled, and were Captive Portal Response Pages reachable from untrusted networks?

For CVE-2026-0300, a vulnerable PAN-OS version is necessary, but not the full risk picture. Exploitable exposure requires the affected software, the enabled Captive Portal service, and a reachable path from untrusted networks.

Firewall fleets rarely share one configuration state. One PA-Series or VM-Series firewall may run an affected PAN-OS version with Captive Portal disabled. Another may run the same version with the User-ID Authentication Portal exposed to the internet. CVE inventory marks both as vulnerable. Exposure mapping separates immediate exploitation risk from lower-immediacy patch backlog.

The same gap appears in application security. Static inventory answers whether a vulnerable component exists. Runtime exposure answers whether the vulnerable service, function, package, or execution path is loaded, reachable, and active.

Kodem does not scan PAN-OS firewalls. The shared principle is broader: real risk depends on presence plus exposure. Runtime Intelligence applies that exposure-first logic to application code, dependencies, and runtime behavior by showing what is loaded, reachable, and executing in real environments.

ADR applies the same logic once exposure becomes activity. When a vulnerable path is exercised, runtime detection helps answer the next operational question: did exploitation actually execute?

CVE-2026-0300 reinforces the difference between vulnerability management and exploitability management. Inventory tells teams where to patch. Exposure mapping tells teams what to prioritize first.

Hardening Edge Authentication Surfaces Against the Next Variant

Edge authentication services across Ivanti, Citrix, Fortinet, Palo Alto, and other perimeter platforms remain recurring attacker targets because they sit at the edge and often broker privileged access. The CVE-2026-0300 hardening playbook is to reduce unauthenticated reachability, disable unused portal services, segment management paths, monitor appliance-originated traffic, and patch edge devices on a critical SLA.

1. Default-deny inbound access to firewall management and authentication portals: Restrict Palo Alto Captive Portal, User-ID Authentication Portal, and management surfaces from untrusted networks. Allowlist trusted source IPs or place access behind a zero-trust proxy.
2. Disable authentication portal services that are not in active use: Turn off Captive Portal and related authentication portal services where they are not required. Document which PA-Series and VM-Series deployments need them and audit that list quarterly.
3. Segment management interfaces from public networks: Separate management access at the network and VLAN level, not only through firewall policy. Public internet reachability should not depend on a single rule remaining correct.
4. Maintain vendor threat detection coverage: Subscribe to vendor threat detection content packs and verify automatic update cadence. For PAN-OS, confirm Threat ID 510019 coverage on supported PAN-OS 11.1 and later deployments with the required Threat Prevention or Advanced Threat Prevention content.
5. Treat firewall fleet patching as a tiered SLA process: Critical CVEs on edge devices need a 72-hour SLA, not a quarterly maintenance window. Prioritize internet-facing Captive Portal deployments, then internal deployments reachable from untrusted zones.
6. Monitor outbound traffic from firewall appliances: Alert when PAN-OS appliances initiate outbound connections to destinations outside approved update servers, telemetry endpoints, log collectors, and management systems. Firewall-originated traffic to unknown destinations is a high-confidence post-exploitation signal.
7. Build and maintain an edge authentication exposure map: Track which firewalls, VPNs, and identity gateways expose authentication portals externally. For the next CVE-2026-0300-style disclosure, this list becomes the first-hour triage map.

What This Pattern Tells Us About Edge Appliance Security in 2026

CVE-2026-0300 is the latest entry in a multi-year pattern of attackers prioritizing edge security infrastructure, including VPNs, firewalls, and identity gateways, because compromise yields privileged interior access without alerting endpoint security stacks. Edge appliances now sit beside domain controllers and identity providers as first-tier targets.

1. Edge security devices are now first-tier targets: Firewalls, VPNs, and authentication gateways broker access between untrusted networks and internal systems. Successful exploitation at this layer can give attackers a privileged foothold before endpoint controls observe activity.
2. Memory-safety bugs in vendor C and C++ codebases continue to deliver pre-auth RCE: CVE-2026-0300 is a buffer overflow in the PAN-OS User-ID Authentication Portal. The mechanics differ from command injection flaws and file-write bugs seen in prior edge appliance CVEs, but the operational result is the same: unauthenticated code execution on a perimeter device.
3. The disclosure-to-exploitation window keeps compressing: Palo Alto Networks confirmed active exploitation before the full patch slate was available. That timing moves response from routine patch management to exposure-driven incident response.

Frequently Asked Questions

CVE-2026-0300 is a critical PAN-OS User-ID Authentication Portal zero-day that can allow unauthenticated root RCE on affected PA-Series and VM-Series firewalls. Exploitable exposure depends on configuration: the Captive Portal must be enabled, and Response Pages must be reachable from untrusted networks.

1. What is CVE-2026-0300?
   CVE-2026-0300 is a critical buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal, also known as Captive Portal. The flaw allows unauthenticated attackers to execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls. Palo Alto rates the issue CVSS 9.3 and confirms active exploitation.
2. Which PAN-OS versions are affected by CVE-2026-0300?
   Affected branches are PAN-OS 10.2, 11.1, 11.2, and 12.1 across PA-Series and VM-Series firewalls. Prisma Access, Cloud NGFW, and Panorama appliances are not impacted. 
3. Is CVE-2026-0300 being actively exploited?
   Yes. Palo Alto Networks confirms limited in-the-wild exploitation targeting User-ID Authentication Portals exposed to untrusted IP addresses or the public internet. The risk is reduced when User-ID Authentication Portal access is restricted to trusted internal IP addresses.
4. Do I need to patch if my Captive Portal is not internet-facing?
   Patching is still strongly recommended. Exploitation requires both conditions: User-ID Authentication Portal must be enabled, and an Interface Management Profile with Response Pages enabled must be associated with an external or internet-accessible interface. Immediate exposure is lower when both conditions are false, but teams should verify configuration and reachability directly.
5. How do I detect CVE-2026-0300 exploitation attempts?
   Enable Threat ID 510019 where supported. Palo Alto states this control requires Threat Prevention or Advanced Threat Prevention coverage, Applications and Threats content version 9097-10022, and PAN-OS 11.1 or later. Review Captive Portal request logs, Threat Prevention logs, firewall-originated outbound traffic, administrator changes, SSH key changes, nginx process anomalies, and configuration drift.
6. What credentials or data could attackers steal after exploiting CVE-2026-0300?
   Root access on a firewall can enable interception of authentication traffic, extraction of cached credentials, configuration modification, and persistence. Treat any compromised firewall as a credential-exposure incident across authentication flows brokered by the device.
7. How does CVE-2026-0300 compare to past Palo Alto vulnerabilities like CVE-2024-3400?
   CVE-2026-0300 belongs to the same operational class of unauthenticated PAN-OS edge-RCE vulnerabilities, but the mechanics differ. CVE-2026-0300 is a buffer overflow in the User-ID Authentication Portal, while CVE-2024-3400 involves command injection. The shared lesson is that services exposed to untrusted networks are the real risk surface.
8. Where can I track CVE-2026-0300 updates?
   Track the official Palo Alto Networks advisory, Unit 42 technical write-ups, Rapid7 emergent threat response updates and Wiz analysis. These sources should be checked again before publishing for updated fixed versions, Threat ID guidance, IOC strings, exploit request details, and log-field guidance.

References

1. Kodem Security. May 14, 2025. Kodem’s Approach to ADR: Rethinking Application Detection & Response. Kodem Security.
2. Palo Alto. May 6, 2026. CVE-2026-0300 PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal. Palo Alto.
3. Rapyd 7. May 7, 2026. Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300). Rapyd 7.
4. Unit 42. May 6, 2026. Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution. Unit 42.
5. Wiz. May 6, 2026. Critical Buffer Overflow Vulnerability in PAN-OS Exploited in-the-Wild. Wiz.