| Confirmed compromise | System logs or network telemetry show successful exploitation indicators, followed by the execution of unauthorized binaries (e.g. ew, ReverseSocks5) or log cleanup activities. | Timestamped process trees spawning unexpected shell tools or network connections from the User-ID portal process. | Isolate the firewall interface, revoke Active Directory credentials shared with the firewall, and capture memory dumps. | Apply the PAN-OS vendor security patch and complete a forensic audit confirming no active lateral movement. |
| Presumed exposed | The User-ID Authentication Portal (Captive Portal) is enabled on a vulnerable PAN-OS version and is reachable from untrusted zones. | Configuration settings (captive-portal enabled) in the PAN-OS XML config, and zone policy mapping showing public ingress. | Restrict public ingress immediately; disable the portal if unused. | Upgrade PAN-OS to a fixed release (10.2.11, 11.0.5, 11.1.3 or later). |
| Potentially exposed | A firewall is running a vulnerable PAN-OS version, but status of the User-ID portal and network ingress policies is unknown. | Version scan or CMDB entry identifying PAN-OS version < 11.1.3 without configuration verification. | Run configuration audit script to confirm Captive Portal settings. | Determine if the system is presumed exposed, confirmed compromised, or not exposed. |
| Not exposed | The User-ID Captive Portal is completely disabled, or the firewall runs a patched PAN-OS version. | Negative configuration matches for Captive Portal activation, or verified upgraded software version. | None for this CVE. | Version and configuration verification bundle is archived. |
| Unknown | Firewall configuration or version data cannot be retrieved. | Lack of API access, configuration backups, or administrative access logs. | Establish offline configuration inspection. | Recover required configuration evidence. |