PAN-OS Captive Portal Zero-Day: Key Questions and Answers on CVE-2026-0300

This Q&A summary explains CVE-2026-0300, a critical buffer overflow flaw in the PAN-OS User-ID Authentication Portal (Captive Portal). Unit 42 researchers discovered active exploitation of this zero-day vulnerability, allowing unauthenticated remote code execution. Below are the most pressing questions about the threat, its impact, and how to protect your network.

What is CVE-2026-0300 and which PAN-OS components are affected?

CVE-2026-0300 is a buffer overflow vulnerability found in the PAN-OS User-ID Authentication Portal, also known as the Captive Portal. This feature is used to authenticate users before granting network access. The flaw resides in how the portal processes specially crafted HTTP requests. When exploited, an attacker can overflow a memory buffer, leading to arbitrary code execution. The vulnerability affects all PAN-OS versions that have this portal enabled. No authentication is required for exploitation, making it especially dangerous. Unit 42 advises checking PAN-OS release notes for specific version listings. The vulnerability was disclosed as a zero-day, meaning it was exploited before a patch was widely available.

PAN-OS Captive Portal Zero-Day: Key Questions and Answers on CVE-2026-0300 — Source: unit42.paloaltonetworks.com

How does the exploit work to achieve unauthenticated remote code execution?

The exploit leverages a buffer overflow in the Captive Portal's HTTP parsing logic. An attacker sends a malicious HTTP request to the portal—typically on TCP port 8084 or 8085, depending on configuration. This request contains data that exceeds the expected buffer size, overwriting adjacent memory. By carefully crafting the payload, the attacker can inject and execute arbitrary code with the privileges of the web server process. Since the portal is designed to be accessed by unauthenticated users, no prior credentials are needed. Unit 42 observed active exploitation attempts in the wild, indicating that proof-of-concept code is already available. Successful code execution allows the attacker to install backdoors, steal data, or pivot to internal network systems.

What is the potential impact on affected PAN-OS firewalls?

The impact is severe: a successful exploit grants the attacker full remote control over the affected firewall. Because the firewall stands at the network perimeter, this undermines the organization's primary security barrier. The attacker can modify security policies, disable logging, extract VPN configurations, and move laterally into the internal network. In some cases, the captive portal process runs with elevated privileges, enabling the attacker to gain root-level access. This could lead to persistent backdoors, data exfiltration, and disruption of network operations. Unit 42 emphasizes that any firewall with the User-ID Authentication Portal enabled is at risk, even if it is not directly exposed to the internet—internal exploitation is also possible.

How was this vulnerability discovered and reported?

Unit 42, the threat intelligence team at Palo Alto Networks, discovered the vulnerability during routine threat monitoring. They observed anomalous traffic patterns targeting PAN-OS firewalls that did not match known exploit signatures. Further analysis revealed the buffer overflow in the Captive Portal component. After verifying the issue, Unit 42 responsibly disclosed it to the Palo Alto Networks product security team. A coordinated advisory was released, assigning the CVE identifier CVE-2026-0300. The team also published indicators of compromise (IoCs) to help defenders identify ongoing attacks. The discovery underscores the importance of continuous monitoring and collaboration between researchers and vendors.

Which systems are vulnerable and what should administrators do to mitigate the risk?

All PAN-OS versions that have the User-ID Authentication Portal enabled are vulnerable. This includes physical and virtual firewalls running PAN-OS 10.x and 11.x (specific versions are listed in the official advisory). The immediate mitigation is to apply the security hotfix provided by Palo Alto Networks. If patching is not possible, administrators should disable the captive portal feature entirely, unless it is required for business operations. If it must remain enabled, restrict source IP access to trusted networks only using firewall rules. Additionally, Unit 42 recommends reviewing logs for unusual HTTP requests to port 8084/8085 and investigating any unexpected code execution events. Organizations using Palo Alto Networks products should also enable Threat Prevention and Intrusion Prevention signatures if available.

Are there any known workarounds if patching is delayed?

Yes, if immediate patching is not feasible, several workarounds can reduce exposure. The most effective workaround is to disable the User-ID Authentication Portal on the management interface and any untrusted interfaces. This can be done via the PAN-OS web interface under Device > Setup > Management > User-ID Authentication Portal. If the portal is required for captive portal authentication, ensure it is only exposed to trusted internal networks and not to the internet. Use strict access control lists to limit which IPs can connect to the portal ports. Enable logging for all denied connection attempts to detect scanning. Additionally, deploy a Web Application Firewall (WAF) or intrusion prevention system in front of the firewall to filter malicious payloads. However, these workarounds do not eliminate the vulnerability; patching remains the only complete fix.

What steps has Palo Alto Networks taken to address CVE-2026-0300?

Palo Alto Networks has released a security advisory (PAN-SA-2026-XXXX) detailing the vulnerability and providing hotfix versions for all affected PAN-OS releases. The fix addresses the buffer overflow by adding boundary checks in the HTTP parsing code. Customers can download the patched software from the Palo Alto Networks support portal. The company also deployed automatic Threat Prevention signatures that can block malicious traffic even before the patch is applied. Unit 42 published detailed indicators of compromise and detection rules to help the security community. Additionally, Palo Alto Networks encouraged all customers to upgrade to a fixed version as soon as possible and to follow best practices for firewall hardening. The coordinated disclosure ensures that defenders have the information needed to protect their networks.