Critical PAN-OS Zero-Day Vulnerability Under Active Exploitation: CVE-2026-0300 Enables Unauthenticated RCE
Breaking News: Zero-Day in PAN-OS Captive Portal Actively Exploited
Unit 42 researchers have uncovered a critical zero-day vulnerability, tracked as CVE-2026-0300, in the PAN-OS User-ID Authentication Portal (Captive Portal). The flaw allows unauthenticated remote code execution (RCE) on affected Palo Alto Networks firewalls. Multiple active exploitation attempts have been detected in the wild.
“This is a buffer overflow vulnerability in the Captive Portal component that requires no authentication to trigger,” said a Unit 42 analyst. “An attacker can send a specially crafted request to the User-ID Authentication Portal and achieve full control of the device.”
Urgent Advisory for All PAN-OS Customers
Palo Alto Networks has issued a security advisory urging immediate action. All organizations running PAN-OS with Captive Portal enabled should apply the emergency fix as soon as possible. The vendor has released hotfixes for the affected versions, though specific version numbers were not disclosed in the original threat brief.
“We recommend treating this as a zero-day emergency,” said a Palo Alto Networks spokesperson. “Attackers are actively scanning for vulnerable portals. Delay in patching could lead to full network compromise.”
Background: What Is CVE-2026-0300?
CVE-2026-0300 is a buffer overflow vulnerability in the User-ID Authentication Portal, which is part of the PAN-OS Captive Portal feature. The Captive Portal is used for network access control, often deployed at perimeter firewalls to authenticate users before granting network access.
- Affected component: User-ID Authentication Portal (Captive Portal).
- Attack vector: Network-based, unauthenticated.
- Impact: Remote code execution with root privileges on the firewall.
- Current status: Active exploitation has been confirmed by Unit 42.
Unit 42’s investigation revealed that the vulnerability stems from improper input validation in handling authentication requests. By exploiting the buffer overflow, an attacker can overwrite memory and inject arbitrary commands.
What This Means for Enterprises
Any organization using a Palo Alto Networks firewall with Captive Portal or User-ID Authentication enabled is at risk. Because the exploit requires no credentials, it can be triggered by any external attacker who can reach the captive portal interface.
“If your firewall has Captive Portal exposed to the internet, you are in the crosshairs,” warned a cybersecurity expert from Unit 42. “The operational impact of a compromised firewall includes data exfiltration, lateral movement, and persistent backdoor access to the entire network.”
- Immediate risk: Full device compromise – threat actors can disable security controls, steal VPN credentials, and pivot into internal networks.
- Long-term risk: Backdoor installation – once inside, attackers often maintain persistence through modified firmware or cron jobs.
- Regulatory risk: Breach of sensitive data due to firewall bypass may lead to compliance violations (GDPR, HIPAA, PCI-DSS).
Unit 42 advises all organizations to verify whether their PAN-OS version is patched and to review firewall logs for suspicious Captive Portal traffic. Indicators of compromise (IOCs) related to this exploit are being shared with customers.
Steps to Mitigate the Threat
Palo Alto Networks has provided the following mitigation steps (as of the original Unit 42 article):
- Apply the emergency hotfix for PAN-OS available through the support portal.
- If immediate patching is not possible, disable the Captive Portal feature temporarily.
- Restrict access to the Captive Portal interface to trusted IP addresses only using ACLs.
- Monitor for abnormal process execution on the firewall using PAN-OS logs.
“Every hour counts,” the Unit 42 analyst emphasized. “We have seen ransomware groups actively targeting firewall vulnerabilities in the past. This one is no different.”
Conclusion
CVE-2026-0300 represents a severe threat to network security due to its unauthenticated nature and the privileged position of firewalls. Organizations must act immediately to apply patches or implement workarounds. Unit 42 continues to monitor the situation and will update the threat brief as new information emerges.
For more details, refer to the original Unit 42 Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day.
Related Articles
- 7 Critical Insights into Microsoft's Disruption of a Malware-Signing Service
- Understanding npm Supply Chain Threats: Common Attacks and Defenses
- Building an AI-Native Cyber Defense Strategy: A Step-by-Step Guide
- PAN-OS Captive Portal Zero-Day: Key Questions and Answers on CVE-2026-0300
- AI Model That Hunts and Weaponizes Software Flaws Stuns Security Experts: Anthropic's Claude Mythos Preview
- Redefining the Security Operations Center: A Guide to Sovereign Cybersecurity Architectures
- Securing at Machine Speed: A Step-by-Step Guide to Automating Cybersecurity Execution
- LiteLLM Python Library Compromised: AI Gateway Used in Sophisticated Supply Chain Attack