Active Exploitation of Unauthenticated Buffer Overflow Vulnerability in Palo Alto Networks PAN-OS (CVE-2026-0300)
May 27th, 2026
Critical
Our Cyber Threat Intelligence Unit is monitoring an actively exploited critical buffer overflow vulnerability in Palo Alto Networks PAN-OS affecting PA-Series and VM-Series firewalls. Identified as CVE-2026-0300, the vulnerability resides in the User-ID™ Authentication Portal (Captive Portal) service, and allows an unauthenticated attacker to execute arbitrary code with root privileges via specially crafted packets. CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities catalog on May 6, 2026, with a remediation deadline of May 9, 2026, for Federal Civilian Executive Branch agencies. Organizations with the User-ID™ Authentication Portal enabled and exposed to untrusted networks should prioritize remediation immediately.
Technical Details
Severity: Critical
CVE: CVE-2026-0300
CVSS Score: 9.8 (CVSSv3.1)
Vulnerability Type: Buffer Overflow
Affected Component: PAN-OS User-ID™ Authentication Portal (Captive Portal) service
Affected Products: Palo Alto Networks PA-Series and VM-Series firewalls running PAN-OS
Threat Actor: CL-STA-1132 (likely state-sponsored)
Exploit Status: Actively exploited in the wild
Affected Versions:
PAN-OS 12.1: < 12.1.4-h5 (fix ETA 05/13) / < 12.1.7 (fix ETA 05/28)
PAN-OS 11.2: < 11.2.4-h17 (fix ETA 05/28) / < 11.2.7-h13 (fix ETA 05/13) / < 11.2.10-h6 (fix ETA 05/13) / < 11.2.12 (fix ETA 05/28)
PAN-OS 11.1: < 11.1.4-h33 (fix ETA 05/13) / < 11.1.6-h32 (fix ETA 05/13) / < 11.1.7-h6 (fix ETA 05/28) / < 11.1.10-h25 (fix ETA 05/13) / < 11.1.13-h5 (fix ETA 05/13) / < 11.1.15 (fix ETA 05/28)
PAN-OS 10.2: < 10.2.7-h34 (fix ETA 05/28) / < 10.2.10-h36 (fix ETA 05/13) / < 10.2.13-h21 (fix ETA 05/28) / < 10.2.16-h7 (fix ETA 05/28) / < 10.2.18-h6 (fix ETA 05/13)
Attack Chain:
Initial Access: Unauthenticated attacker sends specially crafted packets to an internet- or untrusted-network-exposed User-ID™ Authentication Portal; no credentials or user interaction required.
Exploitation: Malformed packets trigger a CWE-787 out-of-bounds write in the Captive Portal service, corrupting memory and redirecting execution flow.
Code Execution: Successful exploitation yields arbitrary code execution with root privileges on the affected firewall.
Post-Exploitation: CL-STA-1132 deployed open-source tunneling tools and conducted Active Directory enumeration following initial compromise, consistent with espionage objectives.
Impact
Unauthorized access to firewall appliances may expose sensitive network traffic, credentials, configuration data, and connected internal resources.
Root access allows disabling of security policies, traffic interception, and arbitrary configuration changes.
Exploitation may lead to service disruption, degraded firewall performance, instability of authentication services, and interruption of business-critical network operations.
Attackers may leverage compromised devices as internal pivot points for Active Directory enumeration, lateral movement, persistence, and deployment of additional malicious payloads.
Organizations may incur incident response costs, recovery efforts, regulatory scrutiny, and reputational impact following unauthorized access or potential data exposure.
Detection Method
Monitor PAN-OS logs for malformed or anomalous inbound packets targeting the Captive Portal service from untrusted or external IP addresses.
Review firewall logs for unexpected Captive Portal service crashes, restarts, or errors indicative of buffer overflow exploitation attempts.
Detect unexpected outbound connections originating from the firewall itself, which may indicate post-exploitation tunneling activity by the threat actor.
Monitor for Active Directory enumeration patterns originating from firewall management interfaces or unexpected internal hosts.
Correlate SIEM alerts for unexplained administrative access, policy changes, or account modifications on PAN-OS firewalls.
Deploy and monitor Palo Alto Networks Threat Prevention signatures available for PAN-OS 11.1 and above as of May 5, 2026.
Track unauthorized creation or modification of firewall administrator accounts or security policy configurations.
Indicators of Compromise
There are no Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Apply available patches immediately: Begin deploying fixed PAN-OS versions per the rolling release schedule starting May 13, 2026, referencing the affected versions listed above.
Enable Threat Prevention signatures available for PAN-OS 11.1+ as of May 5, 2026, as an interim blocking and detection measure.
Restrict Authentication Portal access to trusted internal zones only, per Palo Alto Networks Live Community and Knowledgebase guidance, as this significantly reduces the risk of exploitation.
Disable User-ID™ Authentication Portal if not operationally required (Device > User Identification > Authentication Portal Settings > uncheck Enable Authentication Portal).
Audit all internet-facing PA-Series and VM-Series firewall configurations to ensure Captive Portal and management interfaces are not exposed to untrusted networks.
Conduct a retroactive log review for anomalous activity predating patch deployment, given vendor-confirmed exploitation at the time of initial disclosure.
Initiate incident response if any anomalous firewall behavior or indicators of compromise are identified, as a root-level perimeter firewall compromise warrants a full investigation.
CISA KEV remediation deadline of May 9, 2026, has passed for FCEB agencies; any outstanding remediation should be treated as overdue and escalated immediately.
Monitor Unit 42 and Palo Alto Networks advisories for additional IOCs, exploitation updates, and the release of remaining scheduled patches.
Conclusion
The active exploitation of CVE-2026-0300 highlights the severe and immediate risk of unauthenticated buffer overflow vulnerabilities in enterprise perimeter firewall infrastructure. Attribution to the likely state-sponsored cluster CL-STA-1132, with confirmed post-exploitation tunneling and Active Directory enumeration, signals a capable, targeted threat actor seeking deep enterprise access. CISA's next-day KEV listing and Palo Alto Networks' vendor-confirmed exploitation at the time of disclosure leave no room for a delayed response. Organizations should immediately restrict or disable the User-ID™ Authentication Portal, apply patches per the published rolling schedule, and conduct retroactive log reviews for evidence of prior compromise.