CVE-2026-0300: Active Exploitation of PAN-OS User-ID Authentication Portal

CVE-2026-0300 (CVSSv4 9.3) is an unauthenticated buffer overflow (CWE-787, out-of-bounds write) in the User-ID Authentication Portal - also known as the Captive Portal - service of PAN-OS, exploitable on PA-Series hardware firewalls and VM-Series virtual firewalls. By sending specially crafted packets to the portal an unauthenticated remote attacker achieves arbitrary code execution as `root` on the firewall itself, with no authentication, no user interaction, and no chained vulnerability required. Prisma Access, Cloud NGFW, and Panorama appliances are not affected. The advisory was published 2026-05-06 with vendor confirmation that limited active exploitation is already underway, primarily targeting Captive Portal instances exposed to untrusted IP addresses or the public internet. No patches were available at disclosure; fixed PAN-OS hotfixes begin rolling out 2026-05-13 with additional waves through 2026-05-28. Affected trains span PAN-OS 12.1, 11.2, 11.1, and 10.2 - refer to the vendor advisory for the exact subversion matrix.

The exploitation surface is narrow but high-impact. The Captive Portal is a non-default feature used to map IP addresses to usernames; when enabled and reachable from an untrusted zone, the portal listens on TCP and presents a credential-prompt page to unauthenticated traffic. A successful overflow grants root-level code execution on the firewall, giving an attacker the ability to inspect or modify traffic in transit, disable or weaken security policy enforcement, persist on the appliance across reboots, and pivot from the network edge into any segment the firewall protects. Shadowserver is currently tracking approximately 5,800 internet-exposed PAN-OS VM-Series firewalls, the majority in Asia (~2,466) and North America (~1,998); Shodan reports roughly 225,000 PAN-OS instances overall, representing the broader attack surface. Palo Alto has not published attacker IPs, hashes, or callback infrastructure - exploitation lands as in-memory shellcode against the portal worker process, leaving few file-system artifacts.

The most actionable vendor artifact is an emergency Threat Prevention signature shipped via PAN-OS content updates for PAN-OS 11.1 and above, designed to block exploitation attempts at the firewall itself. Customers running current Threat Prevention content will see this signature fire in firewall THREAT logs the moment a probe hits an exposed Captive Portal. Until patches are applied, vendor-recommended workarounds are to (a) restrict the Authentication Portal to trusted internal zones only, or (b) disable the portal entirely via Device → User Identification → Authentication Portal Settings if it is not required. Given the asymmetry between attacker effort (a single crafted packet) and impact (root on the perimeter), organizations running affected PAN-OS subversions with the portal enabled should treat this as an emergency patching event and combine config-side workarounds with detection-side coverage on portal traffic, authd/sslmgr process anomalies, and the new Threat Prevention signature.