Full Report
The vendor hasn’t released a patch for the vulnerability or described the scope and objective of confirmed attacks. The post A critical Palo Alto PAN-OS zero-day is being exploited in the wild appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Palo Alto PAN-OS Memory Corruption in Captive Portal
## CVE Details
- **CVE ID:** CVE-2026-0300
- **CVSS Score:** 9.3 (Critical)
- **CWE:** CWE-121 (Stack-based Buffer Overflow) / Memory Corruption
## Affected Systems
- **Products:** Palo Alto Networks PA-Series (Hardware) and VM-Series (Virtual) firewalls.
- **Versions:** Affected PAN-OS versions include those with the User-ID Authentication Portal (Captive Portal) enabled.
- **Configurations:** Systems are vulnerable if the **User-ID Authentication Portal (Captive Portal)** is exposed to the public internet or untrusted IP addresses.
- **Not Impacted:** Cloud NGFW and Panorama appliances are confirmed NOT affected.
## Vulnerability Description
CVE-2026-0300 is a critical memory corruption (buffer overflow) vulnerability residing in the authentication portal of the PAN-OS software. The flaw allows an unauthenticated remote attacker to execute arbitrary code with **root privileges** on the targeted firewall. Because this bypasses authentication, it represents a complete compromise of the device's security functions.
## Exploitation
- **Status:** **Exploited in the wild.** CISA has added this to the Known Exploited Vulnerabilities (KEV) catalog.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to system and decrypted traffic)
- **Integrity:** High (Ability to modify firewall rules and system files)
- **Availability:** High (Ability to crash the service or brick the device)
## Remediation
### Patches
- **Status:** Not yet released.
- **Timeline:** Palo Alto Networks expects to release the first set of software fixes on **May 13, 2026**.
### Workarounds
- **Restrict Access:** Limit access to the User-ID Authentication Portal (Captive Portal) to trusted internal IP addresses only.
- **Disable Feature:** If not strictly required for business operations, disable the Captive Portal feature entirely until a patch is applied.
- **Network Segmentation:** Ensure management interfaces and authentication portals are not exposed to the public internet.
## Detection
- **Indicators of Compromise:** The vendor has not yet released specific IoCs (hashes/IPs).
- **Detection methods:**
- Monitor for unusual administrative activity or unrecognized root-level processes.
- Inspect logs for crashes in the authentication portal processes.
- Utilize Shadowserver or similar scanning tools to verify if VM-Series instances are publicly exposed.
## References
- **Vendor Advisory:** hxxps[://]security[.]paloaltonetworks[.]com/CVE-2026-0300
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Original Report:** hxxps[://]cyberscoop[.]com/palo-alto-networks-pan-os-firewall-zero-day-vulnerability-exploited/