PAN-OS CVE-2026-0300: Captive Portal Remote Root RCE

Suspected
Discovered May 26, 2026

CISA added PAN-OS CVE-2026-0300 to KEV on 2026-05-06. The vulnerability involves an out-of-bounds write in the User-ID Authentication Portal (Captive Portal) affecting PA-Series and VM-Series firewalls, leading to unauthenticated remote root code execution; this article provides config audits and post-compromise triage scripts.

0
Affected Packages
0
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script

Analysis

Executive Summary

CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities (KEV) Catalog on 2026-05-06 CISA KEV opens in a new tab. The vulnerability involves a critical out-of-bounds write (buffer overflow) in the User-ID Authentication Portal (commonly referred to as the Captive Portal) of Palo Alto Networks' PAN-OS software Palo Alto Networks opens in a new tab.

Active exploitation has been confirmed in the wild by sophisticated state-sponsored threat group CL-STA-1132. The attackers leverage crafted network packets sent directly to the Captive Portal settings interface, triggering remote code execution (RCE) with root privileges. This article outlines configuration audits, impact determinations, and high-fidelity hunting scripts for compromised endpoints.

Key Facts

Cve: CVE-2026-0300

Vendor: Palo Alto Networks

Product: PAN-OS

Kev Added: 2026-05-06

Kev Due: 2026-05-27

Kev Catalog Version: 2026.05.06

Vulnerability: Out-of-bounds write in PAN-OS User-ID Authentication Portal

Cwe:

  • CWE-787
  • CWE-121

Affected Products:

  • PA-Series Firewalls
  • VM-Series Firewalls

Unaffected Products:

  • Prisma Access
  • Cloud NGFW
  • Panorama

Affected Versions:

  • PAN-OS < 10.2.11
  • 11.0.0 <= PAN-OS < 11.0.5
  • 11.1.0 <= PAN-OS < 11.1.3

Fixed Versions:

  • 10.2.11
  • 11.0.5
  • 11.1.3

Nvd Cvss V31: 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploitation Status: cisa_kev_exploited

Zero Day Status: confirmed_zero_day_exploitation

Evidence Assessment

  • confirmed: CISA KEV lists CVE-2026-0300 as an actively exploited vulnerability with a federal remediation mandate CISA KEV opens in a new tab.
  • confirmed: Palo Alto Networks Security Advisory (PAN-SA-2026-0300) details the affected PAN-OS versions, root-cause Captive Portal service, and recommended vendor patches Palo Alto Networks opens in a new tab.
  • confirmed: Unit 42 Threat Intelligence publishes active indicators for threat actor group CL-STA-1132, detailing post-compromise deployment of EarthWorm (ew) and ReverseSocks5 tunneling utilities Palo Alto Networks opens in a new tab.
  • confirmed: Rapid7 Analysis verifies pre-authenticated remote root execution via Captive Portal HTTP boundary overflows Rapid7 opens in a new tab.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceRemediation triggerClosure condition
Confirmed compromiseSystem logs or network telemetry show successful exploitation indicators, followed by the execution of unauthorized binaries (e.g. ew, ReverseSocks5) or log cleanup activities.Timestamped process trees spawning unexpected shell tools or network connections from the User-ID portal process.Isolate the firewall interface, revoke Active Directory credentials shared with the firewall, and capture memory dumps.Apply the PAN-OS vendor security patch and complete a forensic audit confirming no active lateral movement.
Presumed exposedThe User-ID Authentication Portal (Captive Portal) is enabled on a vulnerable PAN-OS version and is reachable from untrusted zones.Configuration settings (captive-portal enabled) in the PAN-OS XML config, and zone policy mapping showing public ingress.Restrict public ingress immediately; disable the portal if unused.Upgrade PAN-OS to a fixed release (10.2.11, 11.0.5, 11.1.3 or later).
Potentially exposedA firewall is running a vulnerable PAN-OS version, but status of the User-ID portal and network ingress policies is unknown.Version scan or CMDB entry identifying PAN-OS version < 11.1.3 without configuration verification.Run configuration audit script to confirm Captive Portal settings.Determine if the system is presumed exposed, confirmed compromised, or not exposed.
Not exposedThe User-ID Captive Portal is completely disabled, or the firewall runs a patched PAN-OS version.Negative configuration matches for Captive Portal activation, or verified upgraded software version.None for this CVE.Version and configuration verification bundle is archived.
UnknownFirewall configuration or version data cannot be retrieved.Lack of API access, configuration backups, or administrative access logs.Establish offline configuration inspection.Recover required configuration evidence.

Timeline

What Happened

Sophisticated attackers targeted the pre-authenticated Captive Portal boundary. By sending large, malformed HTTP requests containing out-of-bounds payloads, they corrupted the stack frame of the User-ID portal authentication daemon, achieving immediate root execution. Upon compromise, threat group CL-STA-1132 deployed lightweight, reverse SOCKS5 tunneling agents (ew and ReverseSocks5) to establish persistent ingress channels, bypassing traditional network logging mechanisms to pivot to internal Active Directory controllers.

Technical Analysis

The primary failure point resides in the handling of HTTP POST fields inside the Captive Portal daemon. Out-of-bounds writes directly overwrite the saved frame pointer during pre-authentication parsing. Organizations exposing this portal publicly were compromised within minutes of active scanning. [1]

Affected Assets and Blast Radius

Asset Selectors:

  • pan-os
  • Palo Alto Networks Firewall
  • User-ID Authentication Portal
  • Captive Portal

Highest Value Assets:

  • Internet-facing PA-Series firewalls with Captive Portal enabled
  • Active Directory domain controllers accessible from the firewall zone
  • Firewall administrative API and credentials

Credentials And Data At Risk:

  • Active Directory service account credentials used for User-ID mapping
  • PAN-OS administrative API keys and session tokens
  • Internal network routing and topology data

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Containment

  1. Restrict Access: If the User-ID Captive Portal is enabled, restrict access to authorized internal IP addresses immediately. Avoid exposing it to untrusted zones or the public internet.
  2. Disable Settings: If the Authentication Portal is not actively required, disable it inside the interface:
    • Navigate to Device > User Identification > Authentication Portal Settings and disable the portal.

Eradication & Recovery

  1. Apply Security Patches: Upgrade affected PA-Series or VM-Series firewalls to fixed PAN-OS releases:
    • 10.2.11 (for 10.2.x range)
    • 11.0.5 (for 11.0.x range)
    • 11.1.3 (for 11.1.x range)
  2. Credential Rotation: Since threat group CL-STA-1132 targets Active Directory service accounts mapped to the User-ID agent, rotate the credentials for all Active Directory service accounts associated with User-ID synchronization immediately.
  3. Revoke Session Tokens: Revoke all active administrative API keys, admin CLI sessions, and portal cookies on the firewall.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
May 26, 2026First seenFirst seen recorded for PAN-OS CVE-2026-0300: Captive Portal Remote Root RCE.security.paloaltonetworks.com
May 26, 2026DiscoveryDiscovery recorded for PAN-OS CVE-2026-0300: Captive Portal Remote Root RCE.security.paloaltonetworks.com
May 26, 2026PAN-OS CVE-2026-0300: Captive Portal Remote Root RCEUnknownsecurity.paloaltonetworks.com
May 26, 2026DisclosureDisclosure recorded for PAN-OS CVE-2026-0300: Captive Portal Remote Root RCE.security.paloaltonetworks.com

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with PAN-OS CVE-2026-0300: Captive Portal Remote Root RCE?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabsecurity.paloaltonetworks.com

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with PAN-OS CVE-2026-0300: Captive Portal Remote Root RCE?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-pan-os-cve-2026-0300-captive-portal-rce-scope"))


# Collect unique indicators
indicators = set()
for group in []:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
security.paloaltonetworks.comSecurity Researcher95%1CISA added PAN-OS CVE-2026-0300 to KEV on 2026-05-06. The vulnerability involves an out-of-bounds write in the User-ID Authentication Portal (Captive Portal) affecting PA-Series and VM-Series firewalls, leading to unauthenticated remote root code execution; this article provides config audits and post-compromise triage scripts.
rapid7.comSecurity Researcher95%1CISA added PAN-OS CVE-2026-0300 to KEV on 2026-05-06. The vulnerability involves an out-of-bounds write in the User-ID Authentication Portal (Captive Portal) affecting PA-Series and VM-Series firewalls, leading to unauthenticated remote root code execution; this article provides config audits and post-compromise triage scripts.
cisa.govSecurity Researcher95%1CISA added PAN-OS CVE-2026-0300 to KEV on 2026-05-06. The vulnerability involves an out-of-bounds write in the User-ID Authentication Portal (Captive Portal) affecting PA-Series and VM-Series firewalls, leading to unauthenticated remote root code execution; this article provides config audits and post-compromise triage scripts.