Full Report
A vulnerability has been discovered in the PAN-OS Authentication Portal (aka Captive Portal) service that could allow for remote code execution. PAN-OS is the operating system that runs Palo Alto Networks next-generation firewalls. Successful exploitation could allow an unauthenticated remote attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
Analysis Summary
# Vulnerability: PAN-OS Authentication Portal Remote Code Execution
## CVE Details
- **CVE ID:** CVE-2026-0300
- **CVSS Score:** Not explicitly listed (Assessed as **CRITICAL** / Alert level: Guarded)
- **CWE:** CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** Palo Alto Networks PA-Series (Hardware) and VM-Series (Virtual) firewalls.
- **Versions:**
- PAN-OS 12.1 < 12.1.4-h5 and < 12.1.7
- PAN-OS 11.2 < 11.2.4-h17, < 11.2.7-h13, < 11.2.10-h6, and < 11.2.12
- PAN-OS 11.1 < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, and < 11.1.15
- PAN-OS 10.2 < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, and < 10.2.18-h6
- **Configurations:** Systems running the User-ID™ Authentication Portal (Captive Portal) service, specifically those exposed to untrusted IP addresses or the public internet.
## Vulnerability Description
A buffer overflow vulnerability exists in the PAN-OS Authentication Portal service. The flaw is triggered when the service processes specially crafted packets sent by an unauthenticated user. Because the service runs with high privileges, successful exploitation allows the attacker to bypass authentication and execute arbitrary code with **root privileges** on the underlying operating system.
## Exploitation
- **Status:** Exploited in the wild (Limited exploitation observed targeting internet-exposed portals).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to system data and credentials)
- **Integrity:** High (Ability to modify system configurations and firmware)
- **Availability:** High (Potential for complete system takeover or denial of service)
## Remediation
### Patches
Palo Alto Networks has scheduled patches for release starting **May 13, 2026**. Users should monitor the vendor advisory for the specific maintenance releases listed in the affected versions section (e.g., 12.1.7, 11.2.12, 11.1.15, etc.).
### Workarounds
- **Restrict Access:** Limit access to the User-ID™ Authentication Portal to only trusted internal source IP addresses/zones.
- **Disable Service:** If the Captive Portal/Authentication Portal is not required for business operations, disable the service entirely to close the attack vector.
## Detection
- **Indicators of Compromise:** Monitor network logs for unusual traffic targeting the Authentication Portal. Check for unauthorized root-level process execution or modifications to system files.
- **Detection methods:** Use automated vulnerability scanners (SCAP-compliant) to identify unpatched versions. Review firewall logs for "specially crafted packets" or segmentation faults in the captive portal process.
## References
- Palo Alto Networks Security Advisory: hxxps://security[.]paloaltonetworks[.]com/CVE-2026-0300
- CVE Record: hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-0300
- MITRE ATT&CK: Tactics TA0001 (Initial Access) and Technique T1190 (Exploit Public-Facing Application)