THE threat brief reports a buffer overflow in the User-ID Authentication Portal (Captive Portal) of PAN-OS, CVE-2026-0300, which allows an unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending crafted packets.
According to Unit 42, there is only limited exploitation observed at present, tracked as CL-STA-1132, a cluster of likely state-sponsored activity that achieved unauthenticated remote code execution and injected shellcode into an nginx worker process. Post‑exploitation activity included deploying tunneling tools such as EarthWorm and ReverseSocks5, AD enumeration using the firewall’s credentials, and log destruction.
Mitigations include restricting access to the User-ID Portal, disabling it if not required, and enabling Threat ID 510019 with PAN‑OS 11.1 or later for customers with Advanced Threat Prevention, with Cortex Xpanse capable of identifying exposed instances. The article notes that Palo Alto Networks has shared findings with the Cyber Threat Alliance and that protections extend across Advanced WildFire, Next‑Generation Firewall, Advanced URL Filtering, Advanced DNS Security, and Cortex Xpanse. according to Unit 42.