Critical Zero-Day in PAN-OS Captive Portal: CVE-2026-0300 Enables Unauthenticated Remote Code Execution

Overview of the Vulnerability

Unit 42 researchers have uncovered a severe zero-day vulnerability, designated as CVE-2026-0300, affecting Palo Alto Networks' PAN-OS software. This flaw resides in the User-ID Authentication Portal, specifically within the captive portal feature. The vulnerability is a buffer overflow issue that can be exploited by an unauthenticated attacker to achieve remote code execution (RCE) on affected devices. Given the critical nature of this flaw—allowing attackers to gain full control without authentication—immediate attention is required by all organizations using PAN-OS with captive portal functionality.

Technical Breakdown: Buffer Overflow in User-ID Authentication Portal

CVE-2026-0300 is classified as a buffer overflow vulnerability in the captive portal component of PAN-OS. A buffer overflow occurs when a program writes more data to a buffer than it can hold, causing adjacent memory locations to be overwritten. In this case, an attacker can craft a malicious request to the authentication portal, causing the buffer to overflow and potentially inject code. The vulnerability does not require any prior authentication, making it especially dangerous for internet-facing firewalls or devices with captive portal enabled for guest access.

The User-ID Authentication Portal is responsible for handling user authentication and mapping IP addresses to usernames. By exploiting this flaw, an attacker can execute arbitrary commands with the privileges of the affected service. This typically allows for full compromise of the PAN-OS device, including access to configuration, network traffic, and subsequent lateral movement within the network.

Attack Vector and Exploitation

The attack vector is via network-based requests sent to the captive portal interface. Specifically, crafted packets aimed at the authentication portal can trigger the buffer overflow. Since no authentication is needed, any unauthenticated user with network access to the affected interface can attempt exploitation. In practice, this means that devices with the captive portal exposed to the internet are at the highest risk. Unit 42 has observed active exploitation attempts in the wild, indicating that threat actors are already weaponizing the vulnerability.

Exploitation code may be publicly available or sold in underground forums. Once executed, the attacker gains a foothold on the firewall, potentially bypassing security controls and intercepting or modifying traffic. This could lead to data exfiltration, ransomware deployment, or use of the device as a pivot point for further attacks.

Impact and Affected Versions

The vulnerability affects PAN-OS versions from 9.0 through 10.2.x prior to the patched releases. Specific versions include:

• PAN-OS 9.0.x
• PAN-OS 9.1.x
• PAN-OS 10.0.x
• PAN-OS 10.1.x
• PAN-OS 10.2.x (before fixed version)

Organizations using these versions with the captive portal feature enabled are vulnerable. The impact is severe: an unauthenticated attacker can execute arbitrary code, leading to complete system compromise. Additionally, the vulnerability can be used to install backdoors, steal credentials, or disable security features. Given the widespread deployment of Palo Alto firewalls in enterprise environments, the potential for large-scale attacks is significant.

Mitigation and Recommendations

Palo Alto Networks has released security advisories and patches for this vulnerability. The primary recommendation is to apply the latest PAN-OS updates immediately. For those unable to patch, workarounds include:

1. Disable Captive Portal: If not absolutely necessary, disable the captive portal feature to eliminate the attack surface.
2. Restrict Access: Limit network access to the captive portal interface only to trusted IP ranges or internal networks. Configure firewall rules to deny access from untrusted sources.
3. Enable Threat Prevention: Ensure that Threat Prevention subscriptions are active and up to date, as Palo Alto may provide IPS signatures to detect exploitation attempts.
4. Monitor Logs: Review system logs for unusual authentication requests or unexpected crashes in the captive portal service.

For detailed patching instructions, refer to the official Palo Alto Networks Security Advisory. Unit 42 also provides indicators of compromise (IoCs) and hunting guidance in their full report.

Conclusion

CVE-2026-0300 represents a critical threat to PAN-OS deployments. The ability for an unauthenticated attacker to achieve remote code execution via the captive portal is a worst-case scenario for network security. Organizations must prioritize patching and implement the recommended workarounds if immediate updates are not possible. The active exploitation observed underscores the urgency. By taking proactive measures now, defenders can prevent attackers from leveraging this zero-day to compromise their infrastructure.