Palo Alto Networks Zero-Day: PAN-OS Vulnerability Grants Attackers Root Perimeter Control

CVE-2026-0300 enables unauthenticated root RCE on PAN-OS firewalls. With CISA Mandating mitigation within three days, we analyze the exploit mechanism and the…

Palo Alto Networks Zero-Day: PAN-OS Vulnerability Grants Attackers Root Perimeter Control

On May 6, 2026, Palo Alto Networks released an advisory for CVE-2026-0300, a critical buffer overflow vulnerability within the PAN-OS User-ID Authentication Portal—commonly known as the Captive Portal. The flaw allows a remote, unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by transmitting specially crafted packets. The urgency of this alert is underscored by a Unit 42 investigation, which identified a targeted campaign active since at least April 9. This campaign involves data exfiltration via open-source tools and meticulous log tampering designed to bypass standard detection systems.

Key Takeaways
  • Unit 42 observed limited exploitation starting April 9, 2026; following initial failed attempts, the first successful RCE was documented on April 16.
  • Threat actors systematically cleared system logs and core dumps before deploying EarthWorm and ReverseSocks5 to establish tunnels into internal networks.
  • CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 6, 2026, setting a May 9 deadline for federal agency mitigation.
  • Prisma Access, Cloud NGFW, and Panorama are not affected; the initial patch rollout is scheduled for May 13, 2026.

Technical Breakdown: The Captive Portal Buffer Overflow

"A buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets through network traffic." This description from the Unit 42 threat brief defines the severity: zero credentials required and total system compromise. The attack occurs at the network level, requiring no human interaction from the victim.

Affected versions include PAN-OS 11.2, 11.1, and 10.2 in specific builds prior to the scheduled patches. Prisma Access, Cloud NGFW, and Panorama remain unaffected. The vulnerability carries a CVSS score of 9.3 when the portal is exposed to the internet or untrusted networks, dropping slightly to 8.7 if access is restricted to trusted internal IPs—a distinction that clarifies the exposure perimeter without diminishing the urgency of the threat.

"This vulnerability is specific to a limited number of customers with their User-ID Authentication Portal (Captive Portal) exposed to the public internet or untrusted IP addresses," a Palo Alto Networks spokesperson told The Hacker News. This limitation narrows the attack surface to a specific subset of devices, though the risk remains absolute for any exposed installation.

Campaign Analysis: Tracking CL-STA-1132

Unit 42 reconstructed a timeline of limited exploitation beginning April 9, 2026, marked by failed attempts against target infrastructure. Successful RCE was confirmed one week later, on April 16. "We are aware of only limited exploitation of CVE-2026-0300 at this time," the research team stated, currently ruling out mass-scanning or worm-like propagation.

On April 29, 2026, attackers executed a SAML flood to force a secondary device into an "Active" state, subsequently achieving RCE on the new target. This maneuver indicates that the objective was not merely the firewall itself, but the entire identity trust ecosystem it manages. It remains unclear whether the vulnerability was discovered during the campaign investigation or if it was known prior to the April attacks; current evidence from primary sources is inconclusive on this point.

The attribution or national origin of the group identified as CL-STA-1132 has not been confirmed. Furthermore, it is currently unknown if public proof-of-concept exploits exist or if the exploit is being traded on underground markets—variables that make it difficult to predict how quickly the risk may escalate in the coming days.

Stealth Tactics and Open-Source Post-Exploitation

Following successful RCE, the operators demonstrated high operational restraint by deleting kernel crash messages, nginx entries, and core dumps to maintain a low-noise persistence. Command sessions were intermittent, likely calibrated to remain below the detection thresholds of standard endpoint monitoring and extend the duration of the intrusion.

Internal pivoting did not rely on proprietary malware. On April 29, 2026, Unit 42 documented the deployment of EarthWorm and ReverseSocks5 on a second compromised device. Both are open-source SOCKS v5 tunneling tools that are difficult to classify as inherently malicious in environments lacking rigorous control over unsigned binaries. Active Directory enumeration followed, utilizing the firewall’s own service credentials to exploit identity trust from the perimeter.

The reliance on legitimate, public tools shifts the defensive paradigm. Detecting this activity requires moving beyond known malware signatures toward monitoring anomalous process behavior, unexpected SOCKS connections, and unauthorized log access by service accounts. In this scenario, the firewall serves as both the point of entry and the primary staging ground for lateral movement.

"A buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets through network traffic."

Mitigation and Risk Reduction

  • Immediately restrict Captive Portal access to trusted zones or known internal IP addresses, eliminating direct exposure to the internet or untrusted networks until patches are released on May 13, 2026.
  • Disable the User-ID Authentication Portal service if it is not business-critical; deactivating the service entirely removes the attack surface associated with CVE-2026-0300.
  • Closely monitor system logs for anomalous deletions of kernel crashes, nginx entries, or core dumps, which serve as anti-forensic indicators consistent with observed post-exploitation.
  • Inspect and, if possible, force a reset of service credentials used by the firewall for Active Directory integration to prevent a perimeter compromise from bridging into the corporate domain.

Beyond the Perimeter

The CL-STA-1132 campaign demonstrates that edge firewalls, regardless of their robustness, are high-value targets for lateral movement when they manage internal identities and trust. By leveraging open-source tools and meticulous log maintenance, attackers are prioritizing operational discipline over technological sophistication. This shifts the burden of defense from simple prevention to rapid response and rigorous internal traffic segmentation. If the perimeter fails, the network must be engineered to distrust even the devices meant to protect it.

Frequently Asked Questions

Which PAN-OS versions are at risk?

Reports identify PAN-OS 11.2, 11.1, and 10.2 in specific builds prior to the upcoming patches. Prisma Access, Cloud NGFW, and Panorama are confirmed to be outside the scope of this risk.

Is this a mass-automated attack?

No. Palo Alto Networks and Unit 42 have characterized the activity as limited and targeted, with initial attempts on April 9, 2026, and the first successful RCE on April 16. There is currently no evidence of worm-like propagation.

Is a patch available now?

No. Patches are scheduled for release on May 13, 2026. Current mitigation strategies rely on restricting Captive Portal access to trusted networks or disabling the service entirely.

Information has been verified against cited sources and is current as of the time of publication.

Sources