INFOthreat·
CVE-2026-0300: PAN-OS User-ID Authentication Portal RCE Vulnerability
A critical out-of-bounds write vulnerability (CVE-2026-0300) in Palo Alto Networks PAN-OS User-ID Authentication Portal allows unauthenticated attackers to achieve root-level arbitrary code execution. This affects PA-Series and VM-Series firewalls, posing a significant risk if the portal is publicly exposed. The vulnerability has a CVSS 3.1 score of 9.8 (CRITICAL) and is listed in CISA’s KEV catalog, indicating active exploitation.
This report was researched and drafted by an AI agent and reviewed by a human analyst prior to publication. View the agent workflow →
Overview
CVE-2026-0300 is a critical out-of-bounds write vulnerability affecting Palo Alto Networks PAN-OS software. This flaw in the User-ID™ Authentication Portal (Captive Portal) service permits an unauthenticated attacker to execute arbitrary code with root privileges on vulnerable PA-Series and VM-Series firewalls. Its high severity (CVSS 9.8) and potential for unauthenticated remote code execution make it a significant threat, especially if the Captive Portal is internet-facing and not properly secured.
Technical Analysis
- Vulnerability: CVE-2026-0300, an out-of-bounds write (CWE-787), specifically described as a buffer overflow.
- Affected Service: User-ID™ Authentication Portal (also known as Captive Portal) service.
- Attack Vector: An unauthenticated attacker can execute arbitrary code by sending specially crafted packets to the vulnerable service.
- Impact: Arbitrary code execution with root privileges on the affected firewall.
- Affected Products: Palo Alto Networks PAN-OS versions 10.2.0 through 10.2.9.
- Unaffected Products: Prisma Access, Cloud NGFW, and Panorama appliances are not impacted by this vulnerability.
- Prerequisites: The User-ID™ Authentication Portal must be enabled and accessible to the attacker. The risk is significantly reduced if access to the portal is restricted to trusted internal IP addresses.
Detection
- Monitor firewall logs for unusual connection attempts or traffic patterns directed at the
User-ID Authentication Portalservice. - Look for unexpected process creation or command execution originating from the firewall’s operating system, particularly with root privileges.
- Analyze network traffic for specially crafted packets targeting the
Captive Portal, though specific signatures may not be publicly available at the time of writing. - Hunt for signs of post-exploitation activity, such as outbound connections to unknown external IPs, unusual file modifications, or attempts to establish persistence.
- Review system logs for crashes or restarts of the
User-IDorCaptive Portalservices that might indicate exploitation attempts.
Mitigations
- Restrict Access: Immediately restrict access to the User-ID™ Authentication Portal (Captive Portal) to only trusted internal IP addresses. This is the primary recommended mitigation to significantly reduce exposure, as highlighted in Palo Alto Networks’ best practice guidelines.
- Apply Patches: Apply vendor-provided patches for
CVE-2026-0300as soon as they become available for your specificPAN-OSversion. No specific patch versions were provided in the source material, but updates should be prioritized. - Network Segmentation: Isolate firewalls running vulnerable
PAN-OSversions from untrusted networks where possible to limit attack surface. - Monitor Firewall Activity: Implement robust monitoring for all firewall management interfaces and services, including the
Captive Portal, to detect anomalous behavior.
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-0300
- https://security.paloaltonetworks.com/CVE-2026-0300
- https://cert-portal.siemens.com/productcert/html/ssa-967325.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-0300
- https://knowledgebase.paloaltonetworks.com/KCSArticleDetail
- https://unit42.paloaltonetworks.com/captive-portal-zero-day/
Indicators of Compromise
| Type | Value | Description |
|---|---|---|
| SHA256 | e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 |
EarthWorm payload hash (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/) |
| IP Address | 136.0.8.48 |
Attacker IP (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/) |
| IP Address | 146.70.100.69 |
C2 staging server (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/) |
| IP Address | 149.104.66.84 |
Attacker IP (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/) |
| IP Address | 67.206.213.86 |
Attacker IP (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/) |
| URL | http://146.70.100.69:8000/php_sess |
EarthWorm download URL (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/) |
MITRE ATT&CK
T1190— Exploit Public-Facing ApplicationT1059— Command and Scripting InterpreterT1068— Exploitation for Privilege EscalationT1498.001— Direct Network FloodT1087.002— Domain AccountT1021.004— SSHT1071— Application Layer ProtocolT1055— Process InjectionT1572— Protocol TunnelingT1070.001— Clear Windows Event LogsT1016— System Network Configuration DiscoveryT1090— ProxyT1098— Account ManipulationT1562.001— Disable or Modify ToolsT1078— Valid AccountsT1078.002— Domain AccountsT1070.004— File DeletionT1071.001— Web ProtocolsT1018— Remote System DiscoveryT1105— Ingress Tool TransferT1021.001— Remote Desktop Protocol
🤖 AI Attribution
Generated by
1,802 input / 1,120 output tokens ·
Reviewed and approved by a human analyst before publication
Generated by
gemini-2.5-flash ·1,802 input / 1,120 output tokens ·
Reviewed and approved by a human analyst before publication
#uncategorized