10 Critical Facts About the PAN-OS Captive Portal Zero-Day Exploit (CVE-2026-0300)

When security researchers at Unit 42 uncovered CVE-2026-0300, the cybersecurity community took immediate notice. This zero-day vulnerability in Palo Alto Networks' PAN-OS software allows unauthenticated remote code execution through a buffer overflow in the User-ID Authentication Portal. In this article, we break down the 10 most important things you need to understand about this critical threat, from how the exploit works to what steps you should take to protect your network.

1. What Is the PAN-OS Captive Portal?

The captive portal is a core feature of Palo Alto Networks firewalls running PAN-OS. It intercepts user traffic before granting network access, typically requiring authentication via the User-ID system. When a user connects to a network behind the firewall, the captive portal presents a login page that collects credentials or performs host information checks. This portal handles authentication requests and communicates with the User-ID agent to map users to their IP addresses. Because the portal processes incoming data from potentially untrusted sources, a vulnerability here opens a direct path for attackers to compromise the entire firewall.

2. Understanding CVE-2026-0300

CVE-2026-0300 is a buffer overflow vulnerability found in the User-ID Authentication Portal component of PAN-OS. A buffer overflow occurs when a program writes more data to a buffer than it can hold, corrupting adjacent memory. In this case, an attacker can send specially crafted network packets to the captive portal, triggering the overflow and allowing them to inject malicious code. The vulnerability does not require any authentication, making it especially dangerous. Unit 42 assigned the identifier CVE-2026-0300 and classified it as a critical severity issue due to its remote exploitation potential.

3. How the Buffer Overflow Works

The buffer overflow in the captive portal originates from improper bounds checking when processing data received during the authentication handshake. When a client connects, the portal allocates a fixed-size buffer to store incoming fields such as usernames or authentication tokens. If the attacker sends a payload larger than the buffer, the overflow overwrites adjacent memory regions, including return addresses and function pointers. By carefully controlling the overflow, the attacker can redirect execution flow to shellcode of their choice. Unit 42's analysis indicates that the exploit is fully reliable and does not require any special knowledge of the target environment.

4. Zero-Day Exploitation in the Wild

Unit 42 confirmed that this vulnerability was actively exploited as a zero-day before a patch was available. Zero-day attacks are particularly insidious because defenders have no warning and no signature-based protection. The attackers leveraged the vulnerability to gain initial access to affected firewalls, likely as a stepping stone for deeper network penetration. While the full scope of campaigns using this exploit is still under investigation, Unit 42 recommends treating any firewall reachable from the internet as a potential target. The fact that the vulnerability is in the captive portal also makes it exploitable from both internal and external networks.

5. Affected PAN-OS Versions

Based on Unit 42's disclosure, the vulnerability affects specific versions of PAN-OS. While the exact version list changes as Palo Alto Networks releases updates, the zero-day was confirmed in PAN-OS 10.x and 11.x releases prior to the security hotfix. Firewalls with the captive portal feature enabled and configured for User-ID authentication are vulnerable. It is important to check your specific deployment version against the advisory from Palo Alto Networks. Customers who cannot immediately patch should consider the mitigations discussed later in this article. The vulnerability does not affect PAN-OS versions with the captive portal disabled or not used for authentication.

6. Severity and Impact

The CVSS score for CVE-2026-0300 is projected to be in the critical range (9.8 or above) based on the properties of a network-accessible buffer overflow that leads to remote code execution. Successful exploitation gives the attacker full control over the firewall, including the ability to modify rules, intercept traffic, deploy malware, and pivot to internal systems. For organizations, this means a breach of network perimeter defenses, potential data exfiltration, and loss of integrity for all traffic traversing the firewall. The impact is magnified because many organizations rely on PAN-OS firewalls as a central security gateway.

7. Attack Vector and Requirements

The attack vector is straightforward: the attacker sends a malicious HTTP request or UDP packet to the captive portal's listening interface. The only requirement is that the firewall's captive portal service is exposed to the attacker. This includes scenarios where the portal is on the external (untrusted) interface for remote access VPN users, or on internal interfaces if an attacker already has network access. No user interaction is required — the exploit is completely unauthenticated. Unit 42 observed attacks coming from botnets and targeted threat actors, indicating that the exploit code has been weaponized and shared in underground forums.

8. Mitigation and Remediation Steps

Palo Alto Networks released an out-of-band hotfix for all supported PAN-OS versions. The first and most important step is to apply the security patch immediately. If patching is not possible, disable the captive portal or block access to its TCP/UDP ports from untrusted networks. Unit 42 also recommends enabling threat prevention signatures that detect known exploit patterns. Additional mitigations include configuring the captive portal to use HTTPS (encrypting data in transit) and restricting the portal's IP address or interface using firewall rules. Regularly reviewing firewall logs for anomalous authentication attempts can help detect reconnaissance.

9. Detection and Hunting Guidance

To detect exploitation attempts, monitor captive portal logs for repeated large payloads or malformed authentication requests. Network intrusion detection systems (NIDS) can be tuned to trigger on the specific byte sequences identified by Unit 42. For post-exploitation, look for unexpected outbound connections from the firewall's management IP, changes to firewall rules, or creation of new users. Unit 42 has published a list of indicators of compromise (IOCs) including IP addresses and domain names associated with the observed attacks. Organizations should also check for unauthorized remote access sessions to the firewall's management interface.

10. Lessons Learned: Proactive Defense

The CVE-2026-0300 incident underscores the importance of reducing attack surface on perimeter devices. Even trusted features like captive portals can become entry points if not secured. Best practices include keeping all software up-to-date, segmenting network zones, and employing least-privilege access for firewall management. Regular vulnerability scanning and penetration testing of critical infrastructure can identify similar weaknesses before attackers do. Unit 42 continues to monitor this threat and encourages organizations to subscribe to security advisories. A zero-day exploit is a race against time — the faster you can detect and respond, the lower your risk.

In conclusion, the PAN-OS captive portal zero-day (CVE-2026-0300) represents a serious threat to any organization using Palo Alto Networks firewalls. By understanding the vulnerability, its exploitation, and the available mitigations, you can take decisive action to protect your network. Stay vigilant, patch promptly, and ensure your security teams are equipped to respond to new threats as they emerge.