10 Critical Facts About the PAN-OS Captive Portal Zero-Day (CVE-2026-0300)

In early 2026, cybersecurity researchers at Unit 42 uncovered a critical zero-day vulnerability affecting Palo Alto Networks PAN-OS. Designated CVE-2026-0300, this flaw enables unauthenticated remote code execution via the User-ID Authentication Portal. Below, we break down the ten most essential details about this threat, from its technical underpinnings to practical mitigation strategies.

1. The Vulnerability: A Buffer Overflow in the Captive Portal

At its core, CVE-2026-0300 is a classic buffer overflow vulnerability residing in the captive portal component of PAN-OS. The captive portal is designed to authenticate users before granting network access, but improper input validation allows an attacker to send a specially crafted request that overflows a memory buffer. This overflow corrupts adjacent memory regions, enabling the attacker to inject and execute arbitrary code with system privileges.

10 Critical Facts About the PAN-OS Captive Portal Zero-Day (CVE-2026-0300) — Source: unit42.paloaltonetworks.com

2. Affected Component: User-ID Authentication Portal

The flaw specifically exploits the User-ID Authentication Portal, a feature that maps user names to IP addresses for policy enforcement. This portal handles HTTP requests for authentication and SSO logins. Because it runs with elevated permissions, any compromise leads to full control of the firewall. Organisations relying on PAN-OS for network security should immediately verify if their systems expose this portal to the internet.

3. Unauthenticated Remote Code Execution

Attackers do not need any prior credentials or network access to exploit CVE-2026-0300. By sending a malicious payload over HTTP or HTTPS to the vulnerable portal, they achieve remote code execution as the www user. This can then be escalated to root, allowing the attacker to install backdoors, exfiltrate data, or pivot to other internal systems—all without authentication. Learn more in item 4 about the exploitation chain.

4. Exploitation Chain: From Buffer Overflow to Full Compromise

The attack begins with a crafted POST request containing an overly long string in a specific parameter. The buffer overflow triggers a crash, but the attacker simultaneously supplies shellcode that overwrites the return address. Once the processor executes the shellcode, a reverse shell connects back to the attacker’s command‑and‑control server. From there, privilege escalation and lateral movement are possible within minutes.

5. Zero-Day Status: Previously Unknown and Actively Exploited

Unit 42 discovered CVE-2026-0300 after observing active exploitation in the wild. At the time of disclosure, no patch existed, making it a true zero-day. Palo Alto Networks has since released a security advisory and firmware updates. However, organisations that delayed patching remained vulnerable for weeks. See item 10 for recommended actions.

6. Impact on Network Security Posture

Successful exploitation can completely undermine a firewall’s protective capabilities. An attacker with root access can disable logging, modify security policies, or deploy ransomware across the network. For organisations that use PAN-OS as their primary gateway, the breach could expose sensitive customer data and lead to regulatory fines. The vulnerability highlights the risk of exposing authentication portals to untrusted networks.

7. First Indicators of Compromise (IOCs)

Unit 42 identified several IOCs associated with this attack. Unusual HTTP requests containing extremely long parameter names or repeated characters in the User-Agent header were common. Additionally, firewall logs showed repeated 500 internal server errors from the captive portal service, followed by outbound connections to unfamiliar IP addresses on non‑standard ports. Network defenders should monitor for these signs.

8. Mitigation Before Patching

If immediate patching is not possible, administrators can implement workarounds. The most effective is to restrict access to the User-ID Authentication Portal using source IP rules—allow only trusted management networks. Additionally, enabling SSL/TLS inspection and disabling unused captive portal features reduces the attack surface. Palo Alto Networks also recommends enabling threat prevention signatures that detect buffer overflow attempts.

9. Vulnerability Identification and Scanning

To determine if your PAN-OS version is affected, check the advisory from Palo Alto Networks. The vulnerability impacts PAN-OS 10.x and earlier builds running captive portal. You can use vulnerability scanners that include CVE-2026-0300 checks. Alternatively, manually inspect the captive portal endpoint by sending a large POST request and observing the firewall’s response. More details are in item 4.

10. Critical Recommendations and Next Steps

Organisations must treat CVE-2026-0300 with urgency. First, apply the official hotfix immediately after testing in a staging environment. Second, review firewall logs for any signs of pre‑existing compromise. Third, rotate all credentials stored on the firewall. Finally, conduct a security audit to ensure no backdoors remain. For ongoing protection, subscribe to Unit 42 threat briefs to stay ahead of emerging zero‑day threats.

In summary, CVE-2026-0300 represents a serious threat to any organisation running PAN-OS with captive portal enabled. The zero-day’s unauthenticated nature and active exploitation demand swift action. By understanding these ten facts, security teams can better defend their networks and respond effectively to this and future vulnerabilities.