Critical Unauthenticated RCE in Palo Alto PAN‑OS Captive Portal (CVE‑2026‑0300) Threatens Enterprise Firewalls
What It Is – A buffer‑overflow flaw (CVE‑2026‑0300) in the User‑ID Authentication Portal (Captive Portal) of Palo Alto Networks PAN‑OS allows an unauthenticated remote attacker to inject shellcode and gain root‑level code execution on PA‑Series and VM‑Series firewalls.
Exploitability – Limited but confirmed exploitation by a likely state‑sponsored group (CL‑STA‑1132). Proof‑of‑concept packets have been released; CVSS v3.1 score = 9.8 (Critical).
Affected Products – Palo Alto Networks PAN‑OS 9.1+ running on PA‑Series hardware firewalls and VM‑Series virtual firewalls. Prisma Access, Cloud NGFW, and Panorama appliances are not affected.
TPRM Impact – Any third‑party that relies on Palo Alto firewalls for perimeter security, remote access, or segmentation faces a supply‑chain risk. If the Captive Portal is exposed to the internet or untrusted networks, attackers can compromise the firewall, pivot to internal systems, harvest AD credentials, and erase forensic evidence.
Recommended Actions –
- Immediately block external access to the User‑ID Authentication Portal (disable captive‑portal service or restrict to trusted IPs).
- Apply Palo Alto Networks advisory patch (or upgrade to the fixed PAN‑OS version) on all PA‑Series and VM‑Series devices.
- Deploy Cortex Xpanse to inventory exposed portals and verify remediation status.
- Conduct a forensic review of firewall logs for signs of EarthWorm/ReverseSocks5 activity.
- Engage Palo Alto Unit 42 Incident Response for compromise assessment if exploitation is suspected.
Source: Palo Alto Unit 42 – Captive Portal Zero‑Day Advisory