This was already published by Jazz Cyber Shield.
This is not a "patch it next sprint" situation. Unauthenticated root-level RCE. No credentials needed. No user interaction needed. State-sponsored actors confirmed inside networks since mid-April 2026. CISA added it to the Known Exploited Vulnerabilities catalog on May 6 with a federal remediation deadline of May 9. Patches only started shipping May 13.
If you manage PA-Series or VM-Series firewalls, here is everything you need to know and do.
The Vulnerability in Plain Terms
CVE-2026-0300 is a buffer overflow (CWE-787: Out-of-Bounds Write) in the User-ID Authentication Portal service of PAN-OS — also known as the Captive Portal. It is the service that maps unknown IP addresses to user identities. Common in guest networks, BYOD environments, contractor segments.
An attacker sends specially crafted packets to the portal. The service mishandles memory. The attacker gets arbitrary code execution with root privileges on the firewall.
Attack flow:
[Attacker] ──crafted packets──► [PAN-OS Captive Portal :6081/:6082]
│
Buffer overflow (CWE-787)
│
RCE with root on PA/VM-Series firewall
│
┌───────────────┴────────────────┐
Shellcode injected Log cleanup begins
into nginx worker (crash dumps, nginx
process records wiped)
│
┌──────────┴──────────┐
AD enumeration Tunneling tools
via firewall deployed
service account (EarthWorm,
credentials ReverseSocks5)
No authentication. No user click. Just packets.
Affected Products and Versions
Only PA-Series and VM-Series firewalls running PAN-OS are affected. Prisma Access, Cloud NGFW, and Panorama are not impacted.
Vulnerable PAN-OS branches:
PAN-OS 12.1 → prior to 12.1.4-h5 and 12.1.7
PAN-OS 11.2 → prior to 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
PAN-OS 11.1 → prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6,
11.1.10-h25, 11.1.13-h5, and 11.1.15
PAN-OS 10.2 → prior to 10.2.7-h34, 10.2.10-h36, 10.2.13-h21,
10.2.16-h7, and 10.2.18-h6
⚠️ Important: When checking your dashboard for the fix, look specifically for hotfix suffix strings (e.g., -h5, -h17, -h33). Standard maintenance releases may not include the patch until the Wave 2 window around May 28, 2026.
Patch rollout:
Wave 1: May 13, 2026
Wave 2: ~May 28, 2026
Who Is Already Exploiting This
Unit 42 is tracking CL-STA-1132, a state-sponsored threat cluster. Here is the documented attack timeline:
April 9, 2026 → Unsuccessful exploitation attempts begin
April ~16, 2026 → Successful RCE achieved
Shellcode injected into nginx worker process
Immediate log cleanup:
- crash kernel messages cleared
- nginx crash entries deleted
- core dump files removed
April 29, 2026 → Tools deployed with root privileges on second device:
- EarthWorm (tunneling)
- ReverseSocks5 (tunneling)
Active Directory enumeration begins using
firewall service account credentials
Targets: domain root, DomainDnsZones
The firewall is not the end goal. It is the quietest pivot point on your network — it already holds service account credentials, sees all traffic, and sits trusted between segments. Once inside, attackers deleted ptrace injection evidence from the audit log and removed SUID privilege escalation binaries.
On May 6, 2026 a public PoC was published. That lowered the bar from nation-state actors to anyone motivated enough to run it.
Shadowserver Foundation tracked over 5,800 PAN-OS VM-Series firewalls exposed publicly — majority in Asia (2,466) and North America (1,998).
Are You Exposed?
Two conditions must both be true for your device to be vulnerable:
User-ID Authentication Portal is enabled in your PAN-OS config
The portal is reachable from untrusted or internet-facing interfaces
Check in the admin UI:
Device > User Identification > Authentication Portal Settings
If the portal is enabled and any L3 interface that untrusted or internet traffic can ingress is attached to it — particularly on ports 6081 or 6082 — you are exposed until you mitigate or patch.
Emergency Mitigation Steps
No patch yet for your branch? Here is how to break the attack chain now, in order of preference:
Option A — Disable the portal entirely (cleanest)
If your environment does not actively need the Captive Portal:
Device > User Identification > Authentication Portal Settings > Disable
Done. No portal, no attack surface.
Option B — Restrict to trusted zones only
If you do need the portal for internal user identification workflows, lock it down so only trusted internal IPs can reach it.
Refer to Step 6 of Palo Alto's Live Community article and their Knowledgebase article kA14u000000CqbiCAC for the exact ACL steps.
Option C — Disable Response Pages on untrusted interfaces
This is the second layer of the official mitigation. In the Interface Management Profile for every L3 interface where untrusted or internet traffic ingresses:
Network > Network Profiles > Interface Mgmt
→ Disable "Response Pages" on untrusted/WAN-facing profiles
→ Keep Response Pages enabled only on trusted/internal zone interfaces
Option D — Apply Threat ID 510019 (PAN-OS 11.1+ only)
If you have a Threat Prevention subscription and run PAN-OS 11.1 or later:
Content version: 9097-10022
Threat ID: 510019
Enable it to detect and block active exploitation attempts.
⚠️ PAN-OS 10.2 users: Threat ID 510019 is not available to you due to decoder requirements. Your only mitigations are Options A, B, and C. You have no signature-based detection safety net until you patch.
Detection: What to Hunt For
If you want to check whether exploitation has already occurred in your environment:
Anomalous log gaps — look for unexplained deletions of nginx crash entries or missing core dump files. Successful exploitation was followed by immediate log cleanup in the documented CL-STA-1132 attacks.
Sigma detection rule (experimental) — Dataprise released a community rule targeting suspicious HTTP requests to /authportal/ with oversized payloads:
yamldetection:
selection:
EventID: 2001
Message|contains: '/authportal/'
Message|regex: '(?i)^[A-Z]{3,}\s+/authportal/.*.{1024,}'
condition: selection
level: high
Cortex Xpanse — If you run Cortex, it can identify exposed User-ID Authentication Portal instances. The Cortex AgentiX Threat Intel agent also supports natural language queries against your tenant for CVE-2026-0300 sightings.
Ports to monitor — 6081 and 6082. If untrusted traffic is hitting these ports and you have not locked them down, that is worth investigating now, not at end of week.
CISA Context
CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities (KEV) catalog on May 6, 2026. Federal Civilian Executive Branch agencies were required to apply fixes or mitigations by May 9, 2026 under Binding Operational Directive 22-01.
The KEV catalog is not a theoretical risk list. It only includes vulnerabilities with confirmed evidence of exploitation. When something lands there, it means real attackers are already using it against real targets. Private sector defenders should treat a KEV listing as an exploitation signal even when BOD 22-01 does not directly apply.
CVE-2026-0300 currently sits in the KEV catalog alongside 12 other Palo Alto product vulnerabilities. 2024 saw 7 exploited PAN-OS flaws. 2025 had 2. We are in May 2026 and already at 1 critical.
The Bigger Pattern in 2026
Three critical edge device vulnerabilities have hit production networks this year:
- SonicWall CVE-2026-0204 — authentication bypass
- A combined SonicWall/Fortinet campaign that reportedly hit 56% of targeted networks
- CVE-2026-0300 — this one
Edge devices are the highest-value target on most networks right now because compromising one gives you:
- Root access to the device that sees all traffic, handles all VPN sessions, and enforces all policies
- Service account credentials with AD access already baked in
- A trusted internal position from which to enumerate, pivot, and stay quiet
The perimeter appliance was supposed to be the thing that stopped lateral movement. When it is the entry point, the whole model needs rethinking.
Summary Checklist
[ ] Check if User-ID Authentication Portal is enabled
→ Device > User Identification > Authentication Portal Settings
[ ] Check if portal is reachable from untrusted/internet interfaces
→ Look for L3 interfaces exposing ports 6081 or 6082
[ ] Option A: Disable portal if not needed
[ ] Option B: Restrict portal access to trusted IPs only
→ Reference KB article kA14u000000CqbiCAC, Step 6
[ ] Option C: Disable Response Pages on untrusted Interface Mgmt Profiles
→ Network > Network Profiles > Interface Mgmt
[ ] Option D: Enable Threat ID 510019 (PAN-OS 11.1+ with Threat Prevention)
→ Content version 9097-10022
[ ] Verify patch version once Wave 1 (May 13) or Wave 2 (May 28) ships
→ Check for hotfix suffix strings in build number
[ ] Hunt for log gaps: nginx crash deletions, missing core dumps
[ ] Review Sigma rule for /authportal/ anomalies if you have SIEM
Click here for more details https://blog.jazzcybershield.com/palo-alto-pan-os-zero-day-cve-2026-0300/
Top comments (0)