Critical Unauthenticated Buffer Overflow in PAN-OS User-ID Authentication Portal — CVE-2026-0300 (RCE as Root)

Indicators

• Authentication Portal (Captive Portal) enabled and reachable from untrusted or internet-facing interfaces
• Unexpected process crashes or restarts on the PAN-OS dataplane associated with the User-ID Authentication Portal service
• Post-exploitation indicator: open-source tunneling tools deployed on the firewall filesystem
• Active Directory enumeration traffic originating from or through the firewall following Authentication Portal exposure
• Inbound specially crafted packets targeting the Authentication Portal from external or untrusted source IPs
• CVE-2026-0300 flagged in CISA KEV catalog — any internet-exposed Authentication Portal should be treated as potentially compromised
• Unexpected outbound tunneling connections from firewall management plane

Likely causes

• CWE-787 out-of-bounds write (buffer overflow) in the User-ID Authentication Portal component of PAN-OS, exploitable by sending specially crafted packets to the portal endpoint
• Authentication Portal exposed to untrusted IP address ranges or the public internet, removing network-layer mitigations
• Authentication Portal feature enabled on a device (non-default, but present in many enterprise deployments using IP-to-username mapping)

Diagnostic steps

1. Check whether the User-ID Authentication Portal is currently enabled: navigate to Device > User Identification > Authentication Portal Settings and verify the 'Enable Authentication Portal' checkbox state. Via CLI: 'show user-id-agent config all'
   Confirm whether the vulnerable component is active — if Authentication Portal is not enabled, the device is not exposed to CVE-2026-0300
2. Determine the exact PAN-OS version via CLI: 'show system info | match sw-version' or check the web UI Dashboard under General Information
   Establish whether each device runs a version listed as affected (12.1 <= 12.1.4-h5, 11.2 <= 11.2.4-h17, 11.1 <= 11.1.4-h33, 10.2 <= 10.2.7-h34) to prioritize remediation
3. Review network zone configuration to determine Authentication Portal exposure: check Network > Zones and Network > Interfaces to identify which zones can reach the portal service. Review Security Policy rules permitting traffic to the Authentication Portal
   Assess actual attack surface — exploitation requires the portal to be reachable from untrusted IPs or the public internet
4. Search Shodan for your organisation's public IP ranges: 'shodan search "PAN-OS" net:YOUR.IP.RANGE/24' or use Shodan web interface to confirm whether any exposed devices have Authentication Portal responding externally
   Quantify external exposure — Shodan identifies approximately 225,000 internet-facing PAN-OS instances globally; validate whether your assets are among them
5. Review firewall system logs for suspicious activity: CLI command 'show log system' and 'show log traffic' — look for unexpected crashes, restarts, or anomalous connection patterns to the Authentication Portal interface
   Detect potential exploitation attempts or successful compromise before applying mitigations
6. Search endpoint telemetry and firewall filesystem for post-exploitation indicators: presence of open-source tunneling tools (e.g., chisel, ngrok, frp), unexpected outbound connections, or Active Directory enumeration traffic originating from the firewall
   Detect signs of compromise by threat cluster CL-STA-1132, whose known TTPs include deploying tunneling tools and conducting AD enumeration after initial access
7. Confirm CVE-2026-0300 appears in vulnerability scan results: run authenticated scan against PAN-OS devices using Rapid7 InsightVM, Nexpose, or Exposure Command
   Validate vulnerability management tooling is detecting the exposure so affected assets appear in remediation workflows

Resolution path

• IMMEDIATE WORKAROUND (Option A — Restrict Access): Restrict User-ID Authentication Portal access to only trusted internal zones. Navigate to Device > User Identification > Authentication Portal Settings and configure allowed source zones to exclude untrusted/internet-facing zones. Apply and commit configuration. Alternatively, add Security Policy rules to block external access to the portal service.
• IMMEDIATE WORKAROUND (Option B — Disable Feature): If Authentication Portal is not required, disable it entirely: Device > User Identification > Authentication Portal Settings > uncheck 'Enable Authentication Portal'. Click OK, then Commit the configuration change.
• PATCH (Priority — Apply Fixed Versions): Download and install vendor-released fixed versions as soon as available. Fixed version matrix: PAN-OS 12.1 >= 12.1.7 | PAN-OS 11.2 >= 11.2.7-h13 or >= 11.2.10-h6 or >= 11.2.12 | PAN-OS 11.1 >= 11.1.6-h32 or >= 11.1.7-h6 or >= 11.1.10-h25 or >= 11.1.13-h5 or >= 11.1.15 | PAN-OS 10.2 >= 10.2.10-h36 or >= 10.2.18-h6. Patches released May 13–28, 2026.
• POST-PATCH: After applying patches, re-enable Authentication Portal only if required for business operations. Ensure portal remains restricted to trusted internal zones only — never exposed to untrusted IPs or the internet.
• INCIDENT RESPONSE (If Compromise Suspected): If post-exploitation indicators are found (tunneling tools, AD enumeration originating from firewall), treat the device as compromised. Isolate the firewall immediately, engage incident response procedures, preserve logs and filesystem for forensics, and contact Palo Alto Networks support and Unit 42.

Prevention

• Never expose the PAN-OS User-ID Authentication Portal to untrusted IP addresses or the public internet — always restrict portal access to trusted internal zones only, regardless of PAN-OS version
• Disable the Authentication Portal entirely on any device where IP-to-username mapping via Captive Portal is not a documented business requirement — the feature is non-default and unnecessary in many deployments
• Establish a patch management process that prioritises critical-severity PAN-OS advisories (CVSSv4 >= 9.0) with a target remediation window of less than 72 hours, applying vendor workarounds immediately while patches are prepared
• Monitor CISA KEV additions for PAN-OS CVEs and maintain continuous external attack surface monitoring (e.g., Shodan, Rapid7 Exposure Command) to detect any unintended internet exposure of management or portal services
• Subscribe to Palo Alto Networks security advisories and Unit 42 threat intelligence feeds to receive early warning of newly confirmed exploitation activity targeting PAN-OS vulnerabilities
• Implement network segmentation ensuring firewall management interfaces and optional services like Authentication Portal are never accessible from user VLANs or external networks

Tools

• Shodan (external attack surface discovery — identify internet-facing PAN-OS instances)
• Rapid7 Exposure Command (vulnerability assessment and exposure management for CVE-2026-0300)
• Rapid7 InsightVM / Nexpose (vulnerability scanning and detection of affected PAN-OS versions)
• PAN-OS CLI — 'show system info', 'show user-id-agent config all' (confirm running version and feature status)
• Palo Alto Networks Unit 42 Threat Intelligence (threat brief for CL-STA-1132 TTP attribution)
• CISA KEV Catalog (authoritative list of actively exploited vulnerabilities)

References

• Rapid7 Emergency Threat Response — CVE-2026-0300 Critical Buffer Overflow in PAN-OS
• CISA Known Exploited Vulnerabilities (KEV) Catalog
• Palo Alto Networks Live Community — Restricting Authentication Portal Access
• Palo Alto Networks Unit 42 Threat Brief — CL-STA-1132