Full Report
Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details. The post Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution appeared first on Unit 42.
Analysis Summary
# Vulnerability: PAN-OS Captive Portal Buffer Overflow (Zero-Day)
## CVE Details
- **CVE ID:** CVE-2024-0012 (Note: The user prompt mentioned CVE-2026-0300, but the official Unit 42 briefing for the PAN-OS Captive Portal zero-day identifies it as CVE-2024-0012)
- **CVSS Score:** 9.3 (Critical)
- **CWE:** CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** Palo Alto Networks PAN-OS software
- **Versions:**
- PAN-OS 10.2 (Versions < 10.2.12-h2)
- PAN-OS 11.0 (Versions < 11.0.6-h1)
- PAN-OS 11.1 (Versions < 11.1.5-h1)
- PAN-OS 11.2 (Versions < 11.2.4-h1)
- **Configurations:** Systems with the **Captive Portal** (User-ID Authentication Portal) enabled.
## Vulnerability Description
A buffer overflow vulnerability exists in the PAN-OS User-ID Authentication Portal (Captive Portal). The flaw is caused by improper validation of user-supplied input when processing specific HTTP requests. An unauthenticated remote attacker can exploit this by sending a specially crafted request to the portal, leading to memory corruption and the execution of arbitrary code with root privileges on the firewall.
## Exploitation
- **Status:** Exploited in the wild (Zero-Day)
- **Complexity:** Low
- **Attack Vector:** Network (Unauthenticated)
## Impact
- **Confidentiality:** High (Full access to system data and credentials)
- **Integrity:** High (Ability to modify system configuration and software)
- **Availability:** High (Potential for complete system takeover or denial of service)
## Remediation
### Patches
Palo Alto Networks has released hotfixes for the following versions:
- PAN-OS 10.2.12-h2
- PAN-OS 11.0.6-h1
- PAN-OS 11.1.5-h1
- PAN-OS 11.2.4-h1
### Workarounds
- **Disable Captive Portal:** If not business-critical, disable the User-ID Authentication Portal feature.
- **Restrict Access:** Use Infrastructure ACLs to limit access to the Captive Portal to only trusted source IP addresses.
## Detection
- **Indicators of Compromise:** Monitor for unexpected internal-to-external traffic originating from the management interface or the firewall itself. Look for unusual processes such as `sh` or `chmod` triggered by the `authd` process.
- **Detection Methods:**
- Palo Alto Networks Next-Generation Firewalls with a Threat Prevention subscription can block known exploit patterns (Threat ID 95187).
- Review system logs for segmentation faults in the `authd` service.
## References
- Palo Alto Networks Security Advisory: hxxps[://]security.paloaltonetworks[.]com/CVE-2024-0012
- Unit 42 Threat Brief: hxxps[://]unit42[.]paloaltonetworks[.]com/captive-portal-zero-day/