Exploitation of PAN-OS Captive Portal Zero-Day (CVE-2026-0300) for Unauthenticated Remote Code Execution
Executive Summary
On May 6, 2026, Palo Alto Networks disclosed CVE-2026-0300, a critical buffer overflow vulnerability in the User-ID™ Authentication Portal (Captive Portal) service of PAN-OS software. This flaw allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets. Limited exploitation has been observed, with attackers deploying tools like EarthWorm and ReverseSocks5, conducting Active Directory enumeration, and systematically erasing logs to conceal their activities. (unit42.paloaltonetworks.com)
This incident underscores the escalating trend of state-sponsored actors targeting edge-network devices to gain privileged access. The use of publicly available tools and meticulous operational tactics highlights the need for organizations to secure their network perimeters and implement robust monitoring to detect and mitigate such sophisticated threats. (unit42.paloaltonetworks.com)
Why This Matters Now
The active exploitation of CVE-2026-0300 by state-sponsored actors emphasizes the urgent need for organizations to secure their User-ID Authentication Portals and monitor for signs of compromise. Immediate action is required to mitigate the risk of unauthorized access and potential data breaches. (unit42.paloaltonetworks.com)
Attack Path Analysis
An unauthenticated attacker exploited a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal to achieve remote code execution with root privileges. Post-exploitation, the attacker deployed tunneling tools and conducted Active Directory enumeration using credentials likely obtained from the compromised firewall. The attacker established command and control channels using tools like EarthWorm and ReverseSocks5. Data exfiltration specifics are not detailed in the available information. The attacker systematically destroyed logs and other evidence to cover their tracks.
Kill Chain Progression
Initial Compromise
Description
An unauthenticated attacker exploited a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal to achieve remote code execution with root privileges.
Related CVEs
CVE-2026-0300
CVSS 9.3A buffer overflow vulnerability in the User-ID™ Authentication Portal of Palo Alto Networks PAN-OS software allows unauthenticated remote attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls.
Affected Products:
Palo Alto Networks PAN-OS – < 12.1.4-h5, < 12.1.7, < 11.2.4-h17, < 11.2.7-h13, < 11.2.10-h6, < 11.2.12, < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15, < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: Unix Shell
Protocol Tunneling
Account Discovery: Domain Account
Indicator Removal: File Deletion
Indicator Removal: Clear Windows Event Logs
Proxy
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
State-sponsored exploitation of PAN-OS zero-day threatens critical financial infrastructure through unauthenticated remote code execution, enabling data exfiltration and lateral movement across banking networks.
Government Administration
CVE-2026-0300 exploitation by nation-state actors poses severe risks to government networks, allowing root-level compromise of firewall infrastructure and systematic evidence destruction capabilities.
Health Care / Life Sciences
Zero-day firewall vulnerability enables state-sponsored attackers to bypass HIPAA compliance controls, compromise patient data through encrypted traffic inspection, and establish persistent network access.
Telecommunications
Edge network infrastructure vulnerability allows sophisticated threat actors to exploit telecommunications firewalls, enabling traffic interception, lateral movement, and compromise of critical communication services.
Sources
- Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Executionhttps://unit42.paloaltonetworks.com/captive-portal-zero-day/Verified
- CVE-2026-0300 PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portalhttps://security.paloaltonetworks.com/CVE-2026-0300Verified
- State-backed hackers hammer Palo Alto firewall zero-day before patch landshttps://www.theregister.com/cyber-crime/2026/05/07/state-backed-hackers-hammer-palo-alto-firewall-zero-day-before-patch-lands/5234737Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the buffer overflow vulnerability may have been constrained by CNSF's embedded security controls, potentially reducing the likelihood of successful remote code execution.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been limited by Zero Trust Segmentation, potentially reducing the scope of access even after initial compromise.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally and enumerate Active Directory may have been constrained by East-West Traffic Security, potentially reducing unauthorized internal reconnaissance.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels may have been limited by Multicloud Visibility & Control, potentially reducing unauthorized external communications.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate data may have been constrained by Egress Security & Policy Enforcement, potentially reducing unauthorized data transfers.
The attacker's ability to destroy logs and cover their tracks may have been limited, potentially preserving forensic evidence for incident response.
Impact at a Glance
Affected Business Functions
- Network Security Operations
- Firewall Management
- Incident Response
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of network configurations, security policies, and user authentication data.
Recommended Actions
Key Takeaways & Next Steps
- • Restrict access to the User-ID Authentication Portal to trusted internal IP addresses to mitigate unauthorized access.
- • Implement Zero Trust Segmentation to limit lateral movement within the network.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic flows.
- • Utilize Multicloud Visibility & Control tools to detect and respond to anomalous activities across cloud environments.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
