unit42.paloaltonetworks.com 5/7/2026, 12:21:28 AM · via preferred

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
Developing story vulnerability 12 articles tracked
Palo Alto PAN-OS Captive Portal zero‑day (CVE-2026-0300) exploited in the wild
CyberSIXT Evidence Panel Source marked as original reporting
CISA KEV Listed in KEV
Patch Patch Available

THE threat brief reports a buffer overflow in the User-ID Authentication Portal (Captive Portal) of PAN-OS, CVE-2026-0300, which allows an unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending crafted packets.

According to Unit 42, there is only limited exploitation observed at present, tracked as CL-STA-1132, a cluster of likely state-sponsored activity that achieved unauthenticated remote code execution and injected shellcode into an nginx worker process. Post‑exploitation activity included deploying tunneling tools such as EarthWorm and ReverseSocks5, AD enumeration using the firewall’s credentials, and log destruction.

Mitigations include restricting access to the User-ID Portal, disabling it if not required, and enabling Threat ID 510019 with PAN‑OS 11.1 or later for customers with Advanced Threat Prevention, with Cortex Xpanse capable of identifying exposed instances. The article notes that Palo Alto Networks has shared findings with the Cyber Threat Alliance and that protections extend across Advanced WildFire, Next‑Generation Firewall, Advanced URL Filtering, Advanced DNS Security, and Cortex Xpanse. according to Unit 42.

View full article

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline