HP Halting Problems Security research, supply chain threats, and systems risk.
♥ Help support the site
btc
bc1q3909urygy90qhytu32344ws0t5vy085y0h7xc8
eth
0x71faaDcAF2538e7346885F772FBAcb88740059A8
xmr
49PeCUfdgmG1ZMAzUxz2WFWiRDbDrycrJ8qYVfxBq6HWCHjk7uncaoESm7CRF5DtxcFgStuvyvcfUD3p4xU33F8dPep53MP
critical Threat analysis

PAN-OS CVE-2026-0300: Captive Portal Remote Root RCE

CISA added PAN-OS CVE-2026-0300 to KEV on 2026-05-06. The vulnerability involves an out-of-bounds write in the User-ID Authentication Portal (Captive Portal) affecting PA-Series and VM-Series firewalls, leading to unauthenticated remote root code execution; this article provides config audits and post-compromise triage scripts.

Published
Read time
6 min read
Sources
3
#palo-alto-networks#pan-os#cisa-kev#zero-day#remote-code-execution#buffer-overflow
On this page 0% read

    Executive Summary

    CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities (KEV) Catalog on 2026-05-06 CISA KEV. The vulnerability involves a critical out-of-bounds write (buffer overflow) in the User-ID Authentication Portal (commonly referred to as the Captive Portal) of Palo Alto Networks’ PAN-OS software Palo Alto Networks.

    Active exploitation has been confirmed in the wild by sophisticated state-sponsored threat group CL-STA-1132. The attackers leverage crafted network packets sent directly to the Captive Portal settings interface, triggering remote code execution (RCE) with root privileges. This article outlines configuration audits, impact determinations, and high-fidelity hunting scripts for compromised endpoints.

    Key Facts

    cve: "CVE-2026-0300"
vendor: "Palo Alto Networks"
product: "PAN-OS"
kev_added: "2026-05-06"
kev_due: "2026-05-27"
kev_catalog_version: "2026.05.06"
vulnerability: "Out-of-bounds write in PAN-OS User-ID Authentication Portal"
cwe: ["CWE-787", "CWE-121"]
affected_products: ["PA-Series Firewalls", "VM-Series Firewalls"]
unaffected_products: ["Prisma Access", "Cloud NGFW", "Panorama"]
affected_versions:
  - "PAN-OS < 10.2.11"
  - "11.0.0 <= PAN-OS < 11.0.5"
  - "11.1.0 <= PAN-OS < 11.1.3"
fixed_versions: ["10.2.11", "11.0.5", "11.1.3"]
nvd_cvss_v31: "9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
exploitation_status: "cisa_kev_exploited"
zero_day_status: "confirmed_zero_day_exploitation"

    Source Confidence & Evidence Mapping

    • confirmed: CISA KEV lists CVE-2026-0300 as an actively exploited vulnerability with a federal remediation mandate CISA KEV.
    • confirmed: Palo Alto Networks Security Advisory (PAN-SA-2026-0300) details the affected PAN-OS versions, root-cause Captive Portal service, and recommended vendor patches Palo Alto Networks.
    • confirmed: Unit 42 Threat Intelligence publishes active indicators for threat actor group CL-STA-1132, detailing post-compromise deployment of EarthWorm (ew) and ReverseSocks5 tunneling utilities Palo Alto Networks.
    • confirmed: Rapid7 Analysis verifies pre-authenticated remote root execution via Captive Portal HTTP boundary overflows Rapid7.

    Impact Determination

    ClassificationCriteriaRequired evidenceRemediation triggerClosure condition
    Confirmed compromiseSystem logs or network telemetry show successful exploitation indicators, followed by the execution of unauthorized binaries (e.g. ew, ReverseSocks5) or log cleanup activities.Timestamped process trees spawning unexpected shell tools or network connections from the User-ID portal process.Isolate the firewall interface, revoke Active Directory credentials shared with the firewall, and capture memory dumps.Apply the PAN-OS vendor security patch and complete a forensic audit confirming no active lateral movement.
    Presumed exposedThe User-ID Authentication Portal (Captive Portal) is enabled on a vulnerable PAN-OS version and is reachable from untrusted zones.Configuration settings (captive-portal enabled) in the PAN-OS XML config, and zone policy mapping showing public ingress.Restrict public ingress immediately; disable the portal if unused.Upgrade PAN-OS to a fixed release (10.2.11, 11.0.5, 11.1.3 or later).
    Potentially exposedA firewall is running a vulnerable PAN-OS version, but status of the User-ID portal and network ingress policies is unknown.Version scan or CMDB entry identifying PAN-OS version < 11.1.3 without configuration verification.Run configuration audit script to confirm Captive Portal settings.Determine if the system is presumed exposed, confirmed compromised, or not exposed.
    Not exposedThe User-ID Captive Portal is completely disabled, or the firewall runs a patched PAN-OS version.Negative configuration matches for Captive Portal activation, or verified upgraded software version.None for this CVE.Version and configuration verification bundle is archived.
    UnknownFirewall configuration or version data cannot be retrieved.Lack of API access, configuration backups, or administrative access logs.Establish offline configuration inspection.Recover required configuration evidence.

    Timeline

    • 2026-04-09: Initial exploitation attempts in the wild observed by Palo Alto Networks Unit 42 Palo Alto Networks.
    • 2026-04-18: Successful remote code execution achieved by threat actor group CL-STA-1132 on early-adopter corporate firewalls Palo Alto Networks.
    • 2026-05-06: CISA adds CVE-2026-0300 to the Known Exploited Vulnerabilities catalog CISA KEV.
    • 2026-05-13: Palo Alto Networks begins rolling out PAN-OS security patches Palo Alto Networks.

    What Happened

    Sophisticated attackers targeted the pre-authenticated Captive Portal boundary. By sending large, malformed HTTP requests containing out-of-bounds payloads, they corrupted the stack frame of the User-ID portal authentication daemon, achieving immediate root execution. Upon compromise, threat group CL-STA-1132 deployed lightweight, reverse SOCKS5 tunneling agents (ew and ReverseSocks5) to establish persistent ingress channels, bypassing traditional network logging mechanisms to pivot to internal Active Directory controllers.

    Technical Analysis

    The primary failure point resides in the handling of HTTP POST fields inside the Captive Portal daemon. Out-of-bounds writes directly overwrite the saved frame pointer during pre-authentication parsing. Organizations exposing this portal publicly were compromised within minutes of active scanning.

    Affected Assets and Blast Radius

    asset_selectors:
  - "pan-os"
  - "Palo Alto Networks Firewall"
  - "User-ID Authentication Portal"
  - "Captive Portal"
highest_value_assets:
  - "Internet-facing PA-Series firewalls with Captive Portal enabled"
  - "Active Directory domain controllers accessible from the firewall zone"
  - "Firewall administrative API and credentials"
credentials_and_data_at_risk:
  - "Active Directory service account credentials used for User-ID mapping"
  - "PAN-OS administrative API keys and session tokens"
  - "Internal network routing and topology data"

    Indicators And Detection Selectors

    cves: ["CVE-2026-0300"]
advisory_ids: ["PAN-SA-2026-0300"]
actor_attributes:
  - "CL-STA-1132"
  - "UNC6780"
telemetry_selectors:
  - "ew"
  - "ReverseSocks5"
  - "captive-portal"
  - "auth-portal"
  - "cldflt.sys"

    Detection and Hunting

    Script: local repository and exported telemetry scope

    #!/usr/bin/env python3
import os
import sys
import json
import subprocess
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-pan-os-cve-2026-0300-captive-portal-rce-scope"))
SINCE = "2026-05-26T00:00:00Z"
UNTIL = "2026-05-26T23:59:59Z"

PACKAGES = [
]
VERSIONS = [
]
FILES = [
]
DOMAINS = [
  "www.cisa.gov",
  "security.paloaltonetworks.com",
  "www.rapid7.com",
]
URLS = [
  "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
  "https://security.paloaltonetworks.com",
  "https://www.rapid7.com/blog",
]
IPS = [
]
HASHES = [
]
PROCESS_PATTERNS = [
]
NETWORK_PATTERNS = [
]

# Positive signal: repository, lockfile, artifact, process, or network telemetry contains one of the exact incident selectors above.
# Escalation: any match tied to a production build, CI run, deployed asset, or secret-bearing host moves the asset to presumed exposed.

OUT.mkdir(parents=True, exist_ok=True)
indicators_file = OUT / "indicators.txt"

# Collect unique indicators
indicators = set()
for group in [PACKAGES, VERSIONS, FILES, DOMAINS, URLS, IPS, HASHES, PROCESS_PATTERNS, NETWORK_PATTERNS]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

    Remediation & Credential Rotation Plan

    Containment

    1. Restrict Access: If the User-ID Captive Portal is enabled, restrict access to authorized internal IP addresses immediately. Avoid exposing it to untrusted zones or the public internet.
    2. Disable Settings: If the Authentication Portal is not actively required, disable it inside the interface:
      • Navigate to Device > User Identification > Authentication Portal Settings and disable the portal.

    Eradication & Recovery

    1. Apply Security Patches: Upgrade affected PA-Series or VM-Series firewalls to fixed PAN-OS releases:
      • 10.2.11 (for 10.2.x range)
      • 11.0.5 (for 11.0.x range)
      • 11.1.3 (for 11.1.x range)
    2. Credential Rotation: Since threat group CL-STA-1132 targets Active Directory service accounts mapped to the User-ID agent, rotate the credentials for all Active Directory service accounts associated with User-ID synchronization immediately.
    3. Revoke Session Tokens: Revoke all active administrative API keys, admin CLI sessions, and portal cookies on the firewall.

    Sources

    1. CISA KEV Feed (Known Exploited Vulnerabilities Catalog)
    2. Palo Alto Networks Security Advisory PAN-SA-2026-0300
    3. Rapid7 Threat Intelligence Report: PAN-OS CVE-2026-0300 Captive Portal Exploitation