PAN-OS Captive Portal Zero-Day: CVE-2026-0300 Exploited in Root-Level RCE Attacks

On May 6, 2026, Palo Alto Networks issued a critical security advisory regarding a zero-day vulnerability in its PAN-OS operating system. The flaw, tracked as CVE-2026-0300, is located within the User-ID Authentication Portal service, commonly known as the Captive Portal.

As this component manages user authentication across enterprise networks, its exposure presents a significant risk to organizations utilizing PA-Series hardware or VM-Series virtual instances. The severity of the flaw is underscored by the fact that it allows for unauthenticated arbitrary code execution.

An attacker can trigger a buffer overflow by transmitting specially crafted network packets, ultimately gaining root privileges on the device. This level of access grants total control over the firewall, enabling traffic manipulation and the establishment of persistent tunnels into the protected internal network.

"A buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets through network traffic."

Incident Timeline and Attack Dynamics

Investigations conducted by Unit 42 have established a precise timeline based on evidence recovered during incident response. The earliest zero-day exploitation attempts were detected on April 9, 2026. During this initial phase, recorded activity consisted of failed attempts against targeted devices.

According to vendor data, attackers achieved operational success roughly one week after their first attempts. At this stage, they successfully executed remote code (RCE) and injected shellcode directly into the Captive Portal process. This breakthrough allowed the threat actors to transition from external reconnaissance to the internal compromise of the operating system.

On April 29, 2026, even more sophisticated activity was recorded: a SAML flood attack. This technique was used to force a failover in high-availability (HA) configurations, promoting a standby device to "Active" status. Once traffic migrated to the new node, attackers exploited CVE-2026-0300 again to compromise the secondary firewall.

"Starting April 9, 2026, there were unsuccessful exploitation attempts against a PAN-OS device. A week later, the attackers successfully achieved RCE against the device and injected shellcode."

Technical Summary: Vulnerability and Perimeter

CVE-2026-0300 is a buffer overflow affecting the User-ID Authentication Portal (Captive Portal) service. While specific technical details regarding packet handling remain non-public, the vendor has confirmed that specifically formatted data can hijack the execution flow to run arbitrary shellcode.

Because execution occurs with maximum system privileges (root), the flaw effectively bypasses all security barriers between the attacker and the PAN-OS core. Despite the high risk potential, Palo Alto Networks has clearly defined the perimeter of affected systems.

The vendor confirmed that Prisma Access, Cloud NGFW, and the Panorama management system are not impacted by this specific vulnerability. This distinction is vital for administrators, who must prioritize mitigation efforts on on-premises or cloud-managed infrastructures utilizing traditional physical or virtual hardware.

Post-Exploitation Tactics: CL-STA-1132

The actor behind this campaign, internally identified as CL-STA-1132, demonstrated significant operational discipline during post-exploitation. Rather than deploying complex proprietary malware, the group opted for legitimate open-source tools—a move that drastically reduces the efficacy of signature-based security solutions.

Unit 42 documented the use of tools like EarthWorm and ReverseSocks5 to establish encrypted tunnels and facilitate lateral movement. After seizing control of the firewall, CL-STA-1132 utilized the device's service account credentials to communicate with Active Directory, enabling massive enumeration of domain users and groups directly from the network perimeter.

Analysis of log-cleansing operations further highlights the group's tactical awareness. The attackers systematically deleted kernel crash messages and nginx service crash entries. They also cleared generated core dumps, making it exceptionally difficult for defenders to reconstruct the timeline without advanced telemetry external to the device.

"The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration."

Mitigation and Defensive Response

Organizations should immediately verify whether the Captive Portal service is enabled on their PA-Series or VM-Series firewalls. The primary recommendation is to disable the User-ID Authentication Portal if it is not strictly required for business operations. This immediately closes the primary attack vector for CVE-2026-0300.

If the portal must remain active, access should be restricted to trusted internal network segments via rigorous security policies. This restriction prevents external actors from reaching the vulnerable service, confining the risk to potential internal threats or actors already present on the network.

For those with Advanced Threat Prevention licenses, verifying the activation of specific protections is essential. Palo Alto Networks has released Threat ID 510019 for PAN-OS 11.1 and later, which is designed to detect and block exploit attempts related to this flaw. Ensuring security content databases are up to date is imperative.

Finally, retroactive threat hunting is necessary. Security teams should search for indicators of compromise (IoC), such as files associated with EarthWorm or ReverseSocks5. System log anomalies—specifically gaps in nginx or kernel entries occurring from April 9, 2026, onward—should be treated as potential signs of intrusion.

Editorial Analysis: The Security Paradox

The CVE-2026-0300 incident highlights the inherent vulnerability of security appliances themselves. When a firewall is compromised via unauthenticated root access, it is not just a single barrier that falls; an entire ecosystem of trust is violated. The firewall ceases to be a defender and becomes a facilitator for the attacker.

The use of SAML flooding to manipulate high-availability systems demonstrates that attackers have moved beyond simple code execution. Subverting redundancy architectures to maintain persistence is a tactical evolution that reveals a deep understanding of enterprise defense mechanisms.

The strategy employed by CL-STA-1132, centered on open-source tooling, underscores the inadequacy of purely perimeter-based defense. In the absence of an immediate software patch at the time of disclosure, the burden of security shifts to monitoring capabilities. Firewall security can no longer be taken for granted; it must be constantly audited.

In conclusion, managing this zero-day requires remediation that extends beyond simple signature updates. Impacted organizations must assume that service credentials used by the firewalls are compromised. Only a systematic verification of log integrity and a comprehensive rotation of secrets can ensure that the actor has not established silent points of persistence.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://unit42.paloaltonetworks.com/captive-portal-zero-day/