Overview
Unit 42 researchers have uncovered a critical zero-day vulnerability in Palo Alto Networks' PAN-OS User-ID Authentication Portal, designated as CVE-2026-0300. This flaw, a buffer overflow in the captive portal functionality, enables an unauthenticated attacker to achieve remote code execution on affected firewalls. The issue highlights the persistent risk of network edge devices and the importance of prompt patching.
Technical Details
Buffer Overflow in Captive Portal
The vulnerability resides in the PAN-OS captive portal—a component used for user authentication before granting network access. Specifically, the User-ID Authentication Portal fails to properly validate input lengths when processing certain requests. By sending a specially crafted packet, an attacker can overflow a buffer, overwriting adjacent memory regions and ultimately executing arbitrary code with root privileges.
Attack Vector
No authentication is required to exploit CVE-2026-0300. The attacker only needs network connectivity to the management interface or the dataplane (depending on configuration) that exposes the captive portal service. This makes the vulnerability particularly dangerous for internet-facing firewalls or those in untrusted networks.
Impact and Severity
Successful exploitation gives the attacker full control over the firewall, allowing them to:
- Modify security policies
- Exfiltrate sensitive traffic logs
- Deploy persistent backdoors
- Lateral movement within the internal network
Given that firewalls often serve as a gateway to critical infrastructure, the impact of CVE-2026-0300 is rated Critical (CVSS 9.8). The vulnerability affects all PAN-OS versions with the captive portal feature enabled, unless specific mitigations are applied.
Affected Versions and Mitigation
Affected Versions
Palo Alto Networks has confirmed that CVE-2026-0300 impacts:
- PAN-OS 10.x
- PAN-OS 11.x
Older versions may also be vulnerable if the captive portal is enabled.
Mitigation Steps
Until a hotfix is available, administrators should:
- Disable the captive portal if not essential for business operations.
- Restrict access to the management interface to trusted IP addresses only.
- Enable threat prevention signatures that Unit 42 has released to detect exploitation attempts.
- Monitor logs for anomalous HTTP requests to the authentication portal.
For specific pan-os versions and patches, refer to the official advisory.
Recommendations
Organizations should treat CVE-2026-0300 with the highest priority. Immediate action includes:
- Applying the vendor-supplied patch as soon as it is released.
- Conducting a full security review of edge devices.
- Segmenting network access to limit exposure of the captive portal.
- Considering temporary workarounds like whitelisting known user agents or IPs.
Conclusion
The discovery of CVE-2026-0300 underscores the evolving threat landscape for network security appliances. By taking proactive measures—both technical and administrative—organizations can reduce the risk of a critical breach. Unit 42 continues to track this vulnerability and will provide updates as more information becomes available.