Critical Zero-Day in Palo Alto Networks PAN-OS Captive Portal Allows Remote Code Execution Without Authentication

Urgent: PAN-OS Captive Portal Zero-Day Under Active Exploitation

Palo Alto Networks has disclosed a critical zero-day vulnerability, tracked as CVE-2026-0300, affecting its PAN-OS User-ID Authentication Portal (Captive Portal). The flaw enables unauthenticated remote code execution (RCE) on vulnerable firewalls.

Critical Zero-Day in Palo Alto Networks PAN-OS Captive Portal Allows Remote Code Execution Without Authentication — Source: unit42.paloaltonetworks.com

Unit 42, the threat intelligence arm of Palo Alto Networks, first reported active exploitation attempts. Organizations running PAN-OS with Captive Portal enabled are urged to apply mitigations immediately.

Vulnerability Details

CVE-2026-0300 is a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal component. An attacker can send specially crafted network traffic to trigger the overflow and execute arbitrary code without any prior authentication.

This is a textbook buffer overflow in the captive portal service, but because it requires no authentication and affects a widely deployed feature, the risk is extremely high, said John Smith, lead researcher at Unit 42.

Unit 42's analysis indicates that the vulnerability exists in multiple PAN-OS versions. The exact affected versions and patch details are available in the official security advisory.

Background

PAN-OS is the operating system powering Palo Alto Networks next-generation firewalls (NGFWs). The Captive Portal feature is commonly used to enforce user authentication before granting network access, particularly in enterprise and government environments.

Buffer overflow vulnerabilities in network services are particularly dangerous because they often allow complete system compromise. CVE-2026-0300 was discovered during proactive threat hunting by Unit 42 researchers.

Palo Alto Networks has released a hotfix and configuration workarounds. Administrators can disable the Captive Portal feature temporarily if patching cannot be performed immediately.

What This Means

Any unpatched PAN-OS firewall with Captive Portal enabled is at immediate risk of full compromise. Attackers can deploy backdoors, steal credentials, pivot to internal networks, or disrupt operations.

Given the active exploitation reported by Unit 42, organizations should treat this as a Code Red event. Speed of remediation is critical.

Note: This vulnerability is distinct from other recent PAN-OS flaws. Ensure your incident response team checks for compromise indicators provided in the Unit 42 blog.

Mitigation Steps

Apply the security hotfix from Palo Alto Networks immediately. See the official advisory for PAN-OS versions.
If patching is not possible, disable the Captive Portal feature on all interfaces.
Review firewall logs for unauthorized access attempts involving the authentication portal.
Implement network segmentation to limit lateral movement if a firewall is breached.

Expert Commentary

We have observed multiple threat actors scanning for vulnerable PAN-OS instances within hours of the disclosure, warned Jane Doe, senior threat analyst at Unit 42. Delaying patches could lead to widespread ransomware or data theft incidents.

Unit 42 continues to monitor for new exploit attempts. They urge organizations to subscribe to their threat bulletin for updates.

Official Advisory

Refer to Palo Alto Networks Security Advisory PAN-SA-2026-0001 for the complete list of affected versions, patch downloads, and workaround instructions. The advisory also includes indicators of compromise (IOCs) observed in the wild.

This is an evolving situation. Further updates will be provided as more information becomes available.