Critical PAN-OS Captive Portal Zero-Day: Unauthenticated RCE via Buffer Overflow (CVE-2026-0300)

Overview

Unit 42, the threat intelligence team at Palo Alto Networks, has disclosed a critical zero-day vulnerability affecting the PAN-OS User-ID Authentication Portal, tracked as CVE-2026-0300. This flaw, a buffer overflow in the captive portal component, enables unauthenticated remote code execution (RCE) on vulnerable appliances. The vulnerability is believed to have been actively exploited in the wild prior to public disclosure, raising urgent concerns for organizations relying on PAN-OS firewalls and gateways.

Critical PAN-OS Captive Portal Zero-Day: Unauthenticated RCE via Buffer Overflow (CVE-2026-0300) — Source: unit42.paloaltonetworks.com

Technical Details

CVE-2026-0300 resides in the PAN-OS Captive Portal functionality, which is part of the User-ID Authentication Portal. The captive portal is typically used to enforce authentication for guest users before granting network access. A buffer overflow occurs when input data exceeds the allocated memory buffer, allowing an attacker to overwrite adjacent memory locations. In this case, specially crafted HTTP requests sent to the captive portal handler can trigger the overflow, leading to arbitrary code execution with the privileges of the PAN-OS web server.

Exploitation does not require any prior authentication or user interaction. An attacker simply needs network access to the management interface or the captive portal endpoint. This makes CVE-2026-0300 a particularly dangerous unauthorized RCE vector, enabling adversaries to take full control of affected devices. Unit 42 notes that the vulnerability was discovered during an incident response engagement, suggesting real-world exploitation attempts.

Affected Systems

The vulnerability affects multiple versions of PAN-OS, including both PA-Series hardware firewalls and virtualized VM-Series instances. Specific vulnerable versions include:

PAN-OS 10.1.0 to 10.1.5
PAN-OS 10.0.0 to 10.0.10
PAN-OS 9.1.0 to 9.1.15
Other versions may be affected if the captive portal feature is enabled.

Organizations running any of these versions with the User-ID Authentication Portal enabled are at immediate risk. The captive portal is often enabled for guest Wi-Fi or network access control, but even if not actively used, the service may be running on default configurations.

Potential Impact

Successful exploitation of CVE-2026-0300 can have severe consequences:

Complete system compromise: An attacker can execute arbitrary commands with root privileges, effectively taking over the firewall or gateway.
Data exfiltration: Access to network traffic logs, VPN credentials, and encrypted tunnels can be harvested.
Lateral movement: The compromised device can be used to pivot into internal networks, bypassing security controls.
Persistent access: Backdoors or rootkits can be installed to maintain long-term access.
Network disruption: Critical infrastructure may be taken offline or manipulated.

Given that PAN-OS devices often serve as the primary security perimeter, a breach can escalate to a full-scale incident.

Mitigation and Remediation

Palo Alto Networks has released security patches for the affected PAN-OS versions. Administrators should take immediate action:

Apply the patch: Update to PAN-OS 10.1.6, 10.0.11, 9.1.16, or later versions that include the fix. Refer to the official advisory for exact version numbers.
Disable captive portal if not required, or restrict access to the User-ID Authentication Portal via ACLs.
Monitor for indicators of compromise (IoCs): Unit 42 has shared IoCs related to the exploitation attempts; check logs for anomalous HTTP requests to the captive portal.
Segment networks: Ensure management interfaces are not exposed to the internet unless necessary, and use strong access controls.

Recommendations for Security Teams

Given the zero-day nature and active exploitation, organizations should treat CVE-2026-0300 as a critical priority:

Conduct a vulnerability scan of all PAN-OS devices to identify affected versions.
Implement a virtual patching rule via intrusion prevention systems (IPS) if an immediate software update is not feasible.
Review firewall logs for signs of buffer overflow attempts, such as abnormally long request strings or repeated connection failures.
Engage with incident response teams if any evidence of compromise is found.
Stay updated via the Unit 42 blog and Palo Alto Networks security advisories for any additional information or follow-up campaigns.

Conclusion

CVE-2026-0300 represents a critical threat to any organization using PAN-OS with captive portal capabilities. The combination of unauthorized access, remote code execution, and active exploitation demands swift action. By applying patches, restricting access, and monitoring for malicious activity, defenders can significantly reduce the risk. Unit 42 continues to track this vulnerability and will provide further updates as the situation evolves.