Critical PAN-OS Zero-Day CVE-2026-0300: Unauthenticated Root RCE Hits Exposed Firewalls

CVE-2026-0300: An unauthenticated root RCE vulnerability in the PAN-OS Captive Portal has seen active exploitation since April 9. While CISA mandated remediati…

On May 6, 2026, Palo Alto Networks disclosed CVE-2026-0300, a critical zero-day vulnerability in the PAN-OS User-ID Authentication Portal (Captive Portal) that allows unauthenticated remote code execution (RCE) with root privileges. Unit 42 has confirmed successful exploitation in the wild as early as April 16, following failed attempts first recorded on April 9. Observed post-exploitation activities include log wiping, SOCKS5 tunneling, and Active Directory enumeration. The vulnerability poses a maximum-severity risk to any organization exposing the Captive Portal to the internet. CISA added the flaw to its KEV catalog on May 6, setting a remediation deadline of May 9 for federal agencies—even though a formal patch was not released until May 13.

Key Takeaways

A buffer overflow in the User-ID Authentication Portal service allows unauthenticated root RCE for any attacker able to reach the interface via the internet or untrusted IPs.
Exploitation timeline: Unsuccessful attempts began April 9, with confirmed RCE and shellcode injection on April 16, followed by log cleanup and the deployment of EarthWorm and ReverseSocks5.
Attackers performed Active Directory enumeration by abusing firewall service account credentials, combined with SOCKS5 tunneling for lateral movement.
Prisma Access, Cloud NGFW, and Panorama are not affected; the official patch was released on May 13, 2026, one week after the vulnerability was added to the CISA KEV catalog.

The Captive Portal Buffer Overflow: Technical Breakdown

The Unit 42 advisory identifies CVE-2026-0300 as a buffer overflow within the PAN-OS User-ID Authentication Portal, commonly known as the Captive Portal. A remote, unauthenticated attacker can send specially crafted packets to overwrite process memory, executing arbitrary code with root privileges on the firewall. The attack requires no credentials and no user interaction; it only requires that the Captive Portal be reachable from the attacker's location. Palo Alto Networks has assigned the vulnerability a CVSS score of 9.3.

Gaining root access on a firewall grants an attacker total control over the device, allowing them to modify security rules, intercept traffic, redirect sessions, and use the hardware as a pivot point into the internal network. The combination of unauthenticated RCE and maximum privileges makes this zero-day significantly more dangerous than vulnerabilities requiring local user access or partial authentication.

Exploitation Timeline: From Initial Probing to Root Access

The timeline published by Palo Alto Networks tracks the first failed exploitation attempts to April 9, 2026. Seven days later, on April 16, threat actors successfully achieved RCE, injected shellcode, and immediately moved to systematically erase their tracks. Unit 42 documented the removal of kernel crash messages, nginx crash entries, and core dump files. This pattern indicates a deliberate anti-forensics operation rather than an automated or opportunistic exploit script.

"Starting April 9, 2026, there were unsuccessful exploitation attempts against a PAN-OS device. A week later, the attackers successfully achieved RCE against the device and injected shellcode. Following the compromise, the attackers immediately conducted log cleanup to mitigate detection by clearing crash kernel messages, deleting nginx crash entries and nginx crash records, as well as removing crash core dump files." — Unit 42, Palo Alto Networks

The gap of over a month between the first attempt and the public disclosure on May 6 suggests that attackers had ample time to refine their exploits and selectively compromise targets. Palo Alto Networks' reference to "limited exploitation" suggests a targeted campaign rather than widespread, indiscriminate scanning, though the exact number of victims has not been disclosed.

Post-Exploitation: EarthWorm, ReverseSocks5, and Persistence

After achieving root control, attackers deployed open-source tools to maintain connectivity and move laterally. Unit 42 and BleepingComputer confirmed the use of EarthWorm for SOCKS5 tunneling and ReverseSocks5 to create outbound proxies through the compromised firewall. Simultaneously, researchers observed attempts to enumerate Active Directory by exploiting the credentials of the service account assigned to the device. This sequence suggests a focus on reconnaissance and long-term persistence within the target network.

The use of EarthWorm and ReverseSocks5 indicates that the attackers intended to establish a resilient command-and-control (C2) infrastructure. SOCKS5 tunneling allows arbitrary traffic to be encapsulated through the firewall, making detection by DLP systems or traditional enterprise proxies difficult. Furthermore, AD enumeration via the firewall's service account leverages an existing trust relationship, bypassing the need for initial brute-force or phishing phases.

Global Exposure and the CISA Mandate

The attack vector requires the Captive Portal to be exposed to untrusted IP addresses or the public internet. Shadowserver data revealed approximately 2,466 exposed instances in Asia and nearly 1,998 in North America, representing a concentrated but significant global attack surface. On May 6, 2026, CISA added CVE-2026-0300 to the KEV catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw by May 9. However, because the patch was not released until May 13, agencies faced a multi-day window where they were mandated to mitigate a threat for which no official fix existed.

This incident occurred alongside the vendor’s AI-driven marketing campaign, as documented by Flyingpenguin with the near-simultaneous publication of the "Defender's Guide." The reality of the zero-day—exploited by human actors using classic post-exploitation techniques—stands in sharp contrast to the vendor's AI narrative, especially given that exploitation began a full month before disclosure.

Mitigation and Response Strategy

Given confirmed exploitation and active anti-forensics techniques, security teams must act quickly to secure their perimeters.

Immediately verify if the Captive Portal is exposed to untrusted IPs or the internet. If so, apply the May 13, 2026 patch or remove exposure within the 72-hour window mandated by CISA for FCEB agencies.
Conduct threat hunting in PAN-OS logs for anomalous nginx crashes, missing core dumps, or gaps in kernel messages between April 9 and May 13, 2026.
Rotate credentials for any service accounts used by the firewall for Active Directory or LDAP integration and audit those accounts for unusual login activity.
Inspect network traffic for SOCKS5 connections or patterns matching EarthWorm and ReverseSocks5, specifically monitoring for unusual outbound sessions from PA-Series or VM-Series firewalls.

This incident highlights the inherent fragility of network perimeters that expose authentication portals to the internet. The delay between the first documented RCE on April 16 and the patch release on May 13, coupled with the vendor's marketing timing, underscores the gap between security narratives and operational reality. For defense teams, the takeaway is clear: this zero-day is being leveraged by human operators with advanced forensic awareness, and response times must be measured in hours, not weeks.

Frequently Asked Questions

Why does the Captive Portal present such a large attack surface?

The User-ID Authentication Portal (Captive Portal) processes incoming network packets to authenticate users. When exposed to untrusted traffic, the buffer overflow allows a remote attacker to overwrite memory and execute code with root privileges, completely bypassing the authentication mechanism it is meant to serve.

If logs were deleted, how can a compromise be detected retroactively?

While attackers deleted nginx crash entries and kernel messages, organizations can still look for external indicators of compromise (IoCs): unauthorized use of the firewall’s AD service account, the presence of EarthWorm or ReverseSocks5 files on the filesystem, and SOCKS5 outbound traffic anomalies that do not align with standard policies.

Who is affected by the CISA May 9, 2026 deadline?

The May 9 remediation deadline specifically applied to FCEB federal agencies. While private organizations are not legally bound by this timeline, the severity of the unauthenticated root RCE and the public exposure of the Captive Portal make immediate intervention a priority for all users.

Information has been verified against cited sources and is current as of the date of publication.