CVE-2026-0300 — a critical buffer overflow in the Palo Alto Networks PAN-OS User-ID Authentication Portal, also known as the Captive Portal — allows an unauthenticated remote attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. CISA added the flaw to its Known Exploited Vulnerabilities catalog on May 6, 2026. No patch is available yet; the first wave of fixes arrives approximately May 13. Internet-exposed firewalls with the portal enabled should be treated as potentially compromised until the workaround is confirmed applied or the patch is in place.
CVE-2026-0300: Technical Details
CVE-2026-0300 (Common Vulnerabilities and Exposures identifier 2026-0300 — a unique tracking number assigned by MITRE to this specific flaw) is a buffer overflow (also called an out-of-bounds write — a class of memory corruption bug where a program writes beyond the boundary of an allocated memory region, allowing an attacker to overwrite adjacent memory, hijack control flow, and redirect execution to attacker-supplied code) in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS.
PAN-OS is the operating system powering PA-Series hardware firewalls and VM-Series virtual firewalls — two of the most widely deployed enterprise perimeter security products in the world. The User-ID Authentication Portal (Captive Portal) is a web-based service designed to intercept unauthenticated traffic and prompt users to authenticate before being granted network access. Because the portal is reachable by design without credentials — it exists specifically to serve unauthenticated users — its packet-parsing code represents a high-value attack surface.
The CVSS v4.0 score (Common Vulnerability Scoring System version 4.0 — an industry-standard metric that rates vulnerability severity from 0.0 to 10.0) is 9.3 Critical when the portal is accessible from the internet or any untrusted network, and 8.7 High when access is restricted to trusted internal addresses only. A score of 9.3 indicates the vulnerability is remotely exploitable, requires no authentication, no user interaction, and produces full system compromise upon successful exploitation.
An unauthenticated attacker sends specially crafted packets to the portal. The buffer overflow corrupts memory in the service process, which runs with root privileges. With root access, the attacker controls the firewall's operating system entirely — able to read all traffic passing through it, create persistent backdoors, and use the device as a pivot point into the protected network.
Rapid7's emergency threat response confirms the flaw is an out-of-bounds write in the portal's packet-parsing logic. Unit 42 — Palo Alto Networks' own threat intelligence team — observed attackers deploying EarthWorm (a network tunneling tool widely used for covert post-exploitation pivoting) and ReverseSocks5 (a reverse SOCKS5 proxy tool that routes attacker command-and-control traffic through a compromised host) after gaining initial access. This tooling is consistent with well-resourced actors seeking persistent, durable access rather than opportunistic reconnaissance.
Affected versions — all PA-Series and VM-Series firewalls running PAN-OS prior to:
First patch wave (~May 13, 2026):
- PAN-OS 12.1 before 12.1.4-h5
- PAN-OS 11.2 before 11.2.7-h13, 11.2.10-h6
- PAN-OS 11.1 before 11.1.4-h33, 11.1.6-h32, 11.1.10-h25, 11.1.13-h5
- PAN-OS 10.2 before 10.2.10-h36
Second patch wave (~May 28, 2026):
- PAN-OS 12.1 before 12.1.7
- PAN-OS 11.2 before 11.2.4-h17, 11.2.12
- PAN-OS 11.1 before 11.1.7-h6, 11.1.15
- PAN-OS 10.2 before 10.2.7-h34, 10.2.13-h21, 10.2.16-h7
Not affected: Prisma Access, Cloud NGFW, and Panorama appliances are confirmed unaffected.
Exploitation Status and Threat Landscape
CISA (the U.S. Cybersecurity and Infrastructure Security Agency) added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog on May 6, 2026. KEV inclusion means CISA has confirmed real-world exploitation in the wild — the catalog is reserved for vulnerabilities with verified active attacks, not theoretical risks. Federal civilian agencies are typically required to remediate KEV entries within defined deadlines, and private sector organisations should treat KEV listings as a definitive signal to prioritise remediation.
Palo Alto Networks describes exploitation as "limited" but targeting internet-exposed User-ID Authentication Portals. BleepingComputer and The Hacker News both confirmed active exploitation in their initial reporting. Unit 42's observation of EarthWorm and ReverseSocks5 in post-exploitation activity indicates attackers are not simply scanning and moving on — they are establishing persistent command-and-control infrastructure inside compromised firewall hosts.
No public PoC (Proof-of-Concept — working exploit code shared publicly that anyone can use to reproduce or launch the attack) has been confirmed released at time of writing. The absence of a public PoC currently limits exploitation to actors who independently discovered or acquired the exploit. That constraint evaporates the moment a PoC is published, which historically follows within days to weeks of a high-profile zero-day disclosure.
MITRE ATT&CK categorises the initial access technique as T1190 — Exploit Public-Facing Application (a standardised technique identifier for attacks against internet-accessible services). The post-exploitation tunneling observed with EarthWorm and ReverseSocks5 aligns with T1572 — Protocol Tunneling (using an application protocol to conceal command-and-control communications inside legitimate-looking traffic).
Who Is Affected
Any organisation running PA-Series or VM-Series firewalls with PAN-OS where the User-ID Authentication Portal is enabled and reachable from untrusted networks or the public internet is within the immediate risk window. The risk is highest — CVSS 9.3 — for internet-exposed deployments, and remains significant at CVSS 8.7 for deployments where the portal is reachable from internal networks but not restricted to trusted IP ranges.
Wiz's analysis highlights broad exposure across enterprise, government, financial services, healthcare, and critical infrastructure sectors, which are the primary deployers of PA-Series hardware. Palo Alto Networks is one of the largest enterprise firewall vendors globally, meaning the exposed population is large.
Prisma Access (Palo Alto's cloud-delivered SASE platform) and Cloud NGFW (managed cloud firewall-as-a-service) are confirmed unaffected — this vulnerability lives in the on-premises PAN-OS firmware only.
What You Should Do Right Now
- Identify exposure immediately. In the PAN-OS management console, navigate to
Device > User Identification > Authentication Portal Settings. Confirm whether the portal is enabled and whether it is accessible from untrusted networks or the internet.
- Restrict portal access if you cannot disable it. Limit the User-ID Authentication Portal to trusted internal IP address ranges only. This reduces your effective CVSS exposure score from 9.3 to 8.7 and eliminates the attack vector for remote, internet-based exploitation while you await the patch.
- Disable the portal entirely if it is not required. If your organisation does not rely on Captive Portal for user identity enforcement, turn it off until the patch is available. This removes the attack surface completely.
- Apply the Threat Prevention signature immediately. For firewalls running PAN-OS 11.1 or above, Palo Alto released a dedicated Threat Prevention signature on May 5, 2026, that detects and blocks CVE-2026-0300 exploit attempts. Enable it in your active threat prevention profile now.
- Plan patch deployment for the May 13 window. Monitor the official security advisory for your specific PAN-OS version. First-wave patches arrive approximately May 13, 2026; second-wave patches follow around May 28. Schedule emergency change windows accordingly.
- Hunt for post-exploitation indicators. If your firewall was internet-exposed before mitigations were applied, investigate for signs of compromise: unusual outbound tunneling connections (particularly SOCKS5), EarthWorm or ReverseSocks5 process artifacts, anomalous DNS beaconing from the firewall host itself, or unexpected authentication events originating from the firewall.
# Check for unusual outbound SOCKS5-type connections from firewall IP in Zeek conn.log
grep -E "1080|1081|socks" /path/to/zeek/conn.log | grep <firewall_mgmt_ip>
# PAN-OS: review authentication portal access logs
> show log system direction equal forward subtype equal auth
Background: Understanding the Risk
Palo Alto Networks PAN-OS firewalls occupy a uniquely sensitive position in enterprise architecture. They sit at the network perimeter, processing all inbound and outbound traffic. An attacker who achieves root code execution on a firewall does not merely compromise a single server — they compromise the inspection point for an entire network segment. They can modify routing, mirror traffic, disable logging, and move laterally into protected internal zones with full trust context. This is why firewall zero-days consistently draw the attention of nation-state actors.
The User-ID Authentication Portal attack surface is particularly notable. The portal's sole purpose is to receive and process traffic from unauthenticated users — making it reachable by any internet host if exposed publicly. This is an inherently high-risk design position: any parsing bug in a service that must accept input from the entire internet without pre-screening is a candidate for pre-authentication exploitation.
This is not the first critical pre-authentication zero-day in PAN-OS. CVE-2024-3400 — a command injection vulnerability in the GlobalProtect feature rated CVSS 10.0 — was exploited by a state-sponsored threat actor (tracked as UTA0218) before the patch was available in 2024. The parallels to CVE-2026-0300 are direct: a pre-auth, network-facing component with a critical memory safety bug, exploited before vendors can patch. Security teams operating PA-Series infrastructure should maintain a standing process for rapid Threat Prevention signature deployment and portal-service access restriction as a first-line response to any PAN-OS zero-day advisory.
The presence of EarthWorm and ReverseSocks5 in Unit 42's observed post-exploitation is a tradecraft indicator. Both tools are common in the arsenals of nation-state-affiliated APT groups — particularly those focused on long-term, low-noise persistence rather than immediately visible ransomware or data exfiltration. If your organisation is in a targeted sector (government, defence, critical infrastructure, financial services), treat this as a potential targeted intrusion rather than commodity opportunism.
Conclusion
CVE-2026-0300 is a confirmed, actively exploited zero-day in Palo Alto PAN-OS that grants unauthenticated root-level code execution through the User-ID Authentication Portal. CISA's KEV listing on May 6, 2026, confirms real attacks. The single most important step right now is verifying whether your portal is internet-exposed and, if so, restricting or disabling it immediately — patches are not available until May 13 at the earliest. Treat any internet-exposed PA-Series device that has not had the portal disabled or restricted as potentially compromised.
For any query contact us at contact@cipherssecurity.com
