CVE-2026-0300: Unauthenticated Root RCE in PAN-OS Captive Portal Under Active Exploitation

Palo Alto Networks ships PAN-OS as the operating system for its PA-Series and VM-Series firewalls — the boxes that sit at the perimeter of a substantial fraction of enterprise networks. On May 5, 2026, the company disclosed CVE-2026-0300: a buffer overflow in the User-ID Authentication Portal that lets an unauthenticated attacker execute code as root simply by reaching the portal over the network. CISA added it to the Known Exploited Vulnerabilities catalog within days, and Palo Alto has confirmed exploitation in the wild before patches finished shipping across every supported branch.

TL;DR

• CVE-2026-0300 is a buffer overflow in the User-ID Authentication Portal (aka Captive Portal) service of PAN-OS that lets an unauthenticated attacker execute arbitrary code as root by sending specially crafted packets. CVSS-B 9.3 if the portal is internet-exposed.
• Affects PA-Series and VM-Series firewalls running PAN-OS only when the Captive Portal is enabled. Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this vulnerability.
• Palo Alto Networks has confirmed limited exploitation in the wild targeting Authentication Portal instances exposed to untrusted IP addresses.
• CISA added the bug to the Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes or mitigations by May 9, 2026 — before Palo Alto's full patch availability.
• Mitigation: disable Authentication Portal, ACL it to trusted internal subnets only, and hunt for nginx crashes, anomalous Captive Portal POSTs, and Threat ID 510019 hits.

Background

PAN-OS's User-ID feature is the glue between firewall policy and identity. It maps source IPs to usernames so Security policy can act on "who" rather than "where." User-ID gets its identity inputs from a handful of sources — agentless WMI/WinRM probes, the User-ID agent, syslog, XML API, GlobalProtect, and the Authentication Portal, historically known as the Captive Portal.

The Authentication Portal is the workflow that pops up a web login page when an unknown source IP tries to traverse the firewall. It's the equivalent of the hotel Wi-Fi splash screen, but for enterprise traffic. To serve those pages, PAN-OS runs a web stack (an nginx-fronted service) listening on configured Layer 3 interfaces and zones. When that service has to be reachable by clients before they're authenticated, by definition it must accept traffic from anonymous sources.

That "anonymous attack surface on a perimeter firewall" property is exactly what makes CVE-2026-0300 so dangerous. CVE-2026-0300, disclosed by Palo Alto Networks on May 5, 2026 and updated on May 7, 2026, is a critical severity Palo Alto Networks PAN-OS vulnerability in the Authentication Portal (Captive Portal) that lets unauthenticated attackers execute code as root on PA-Series and VM-Series firewalls. There is no MFA in front of it. There are no credentials to brute-force. The pre-auth code path that parses the first request from a client is the vulnerable code path.

Palo Alto has been forced into emergency-response posture on perimeter bugs of this shape before (CVE-2024-3400 in GlobalProtect being the most recent gut-punch). The pattern is grimly familiar: a perimeter-exposed parser, a memory-corruption bug, root context, and weeks of in-the-wild exploitation before public disclosure.

Technical breakdown

Where the bug lives

The vulnerable code is in the packet-handling path of the Authentication Portal service. Public reporting describes the defect as a buffer overflow in input parsing. The buffer overflow occurs in the packet processing logic of the User-ID Authentication Portal service. When the portal is enabled, the firewall listens for authentication-related traffic. Malformed packets trigger an out-of-bounds write during input handling.

Two structural details matter:

1. Triggering requires no authentication, no user interaction, and no prior session state. No user interaction is required. The attacker needs network access to the Captive Portal port on an affected interface. A single crafted request reaches the vulnerable handler.
2. The service runs as root. That isn't a side-effect — Authentication Portal needs privileged hooks into the data plane to map IPs to identities in the kernel's session table. CVE-2026-0300 is a critical-severity vulnerability in PAN-OS's User-ID Authentication Portal (Captive Portal) that lets unauthenticated attackers execute code as root on PA-Series and VM-Series firewalls.

The result is the worst-case primitive: pre-auth, network-reachable, root, on the perimeter device that terminates your inbound IPSec, sees your NAT decisions, and holds your decrypted SSL keys.

Affected versions

PAN-OS is unusual in that fixed releases are scattered across multiple maintenance branches. The advisory enumerates fixed builds across the 11.1.x, 11.2.x, and 12.1.x trains:

CVE-2026-0300 affects PA-Series and VM-Series firewalls that are configured to use the User-ID Authentication Portal and run PAN-OS software: Before versions 12.1.4-h5, 11.2.7-h13, 11.2.10-h6, 11.1.4-h33, 11.1.6-h32, 11.1.10-h25, 11.1.13-h5.

If you're running a hotfix branch (the -hN suffix), check the exact hotfix number — being on 11.1.6-h31 is not the same as 11.1.6-h32, and the latter is what you need.

Attack-chain reasoning

I'd expect the in-the-wild exploit chain to look like this:

1. Reconnaissance. Internet-wide scans for PAN-OS Captive Portal fingerprints — distinctive Server: headers, the /php/login.php and /auth-cookie/ paths, and the SAML / certificate-auth response patterns specific to PAN-OS's portal. Shodan/Censys queries for these strings will return a usable target list in minutes.