Full Report
Palo Alto Networks warned customers that suspected state-sponsored hackers have been exploiting a critical-severity PAN-OS firewall zero-day vulnerability for nearly a month. [...]
Analysis Summary
# Vulnerability: PAN-OS User-ID Authentication Portal Remote Code Execution
## CVE Details
- **CVE ID:** CVE-2026-0300
- **CVSS Score:** 10.0 (Critical - Estimated based on description)
- **CWE:** CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** Palo Alto Networks PA-Series (Hardware) and VM-Series (Virtual) firewalls.
- **Versions:** Multiple PAN-OS versions (Specific version list pending, but impacts currently active releases).
- **Configurations:** Systems with the **User-ID Authentication Portal** (also known as Captive Portal) enabled and exposed to the internet.
## Vulnerability Description
CVE-2026-0300 is a critical buffer overflow vulnerability within the PAN-OS User-ID Authentication Portal. The flaw allows an unauthenticated, remote attacker to send specially crafted packets to the internal service. Due to improper bounds checking, the attacker can trigger a buffer overflow to execute arbitrary shellcode with **root privileges**, effectively gaining full control over the firewall appliance.
## Exploitation
- **Status:** Exploited in the wild (Zero-day activity since April 9, 2026).
- **Complexity:** Low
- **Attack Vector:** Network (Unauthenticated)
## Impact
- **Confidentiality:** Total (Full access to device memory, logs, and traffic).
- **Integrity:** Total (Ability to modify configurations and delete logs).
- **Availability:** Total (Ability to crash the system or disable networking).
## Remediation
### Patches
- **Scheduled Release:** Expected Wednesday, May 13, 2026.
- *Note: CISA has mandated federal agencies secure these systems by May 9, 2026.*
### Workarounds
- **Secure Access:** Restrict access to the User-ID Authentication Portal to "Trusted Zones" only.
- **Disable Service:** If not required, disable the portal entirely via:
*Device > User Identification > Authentication Portal Settings -> Uncheck "Enable Authentication Portal".*
- **Block External Traffic:** Ensure that the port used for the Captive Portal is not exposed to the public internet via security policies.
## Detection
- **Indicators of Compromise (IoCs):**
- Presence of open-source tunneling tools: **Earthworm** and **ReverseSocks5**.
- Evidence of log tampering: Deletion of `nginx` crash entries, `nginx` crash records, and kernel crash messages (`/var/log/messages`).
- Unexpected removal of crash core dump files.
- **Detection Methods:**
- Monitor for outbound SOCKS5 connections to unknown external IPs.
- Review `User-ID` logs for anomalous unauthenticated traffic patterns hitting the portal.
## References
- Palo Alto Networks Unit 42 Advisory: hxxps[://]unit42[.]paloaltonetworks[.]com/captive-portal-zero-day/
- CISA Known Exploited Vulnerabilities Catalog: hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- Shadowserver Statistics: hxxps[://]dashboard[.]shadowserver[.]org/statistics/iot-devices/time-series/