Listen to this Post
CVE-2026-0300 is a critical buffer overflow vulnerability residing in the User-ID™ Authentication Portal (also known as the Captive Portal) service of Palo Alto Networks PAN-OS software. The flaw stems from insufficient bounds checking during packet processing within the captive portal authentication mechanism. When the service receives specially crafted network requests, it fails to properly validate the length of incoming data before writing it to a fixed-size memory buffer, leading to an out-of-bounds write (CWE-787).
An unauthenticated remote attacker can exploit this vulnerability by sending a single malicious packet to the Authentication Portal service of an affected firewall. The overflow corrupts adjacent memory structures, allowing the attacker to overwrite critical control data and redirect program execution flow. This ultimately enables arbitrary code execution with full root privileges on the targeted PA-Series or VM-Series firewall. The attack requires no credentials, no user interaction, and no special conditions—making it fully automatable and ideal for mass-exploitation campaigns.
The vulnerability is applicable only to PAN-OS versions 10.2, 11.0, 11.1, and 11.2 software. Cloud NGFW and Prisma Access are not impacted. The risk is significantly heightened when the Authentication Portal is exposed to the internet or untrusted networks, with the CVSS score reaching 9.3 (Critical) in such scenarios. Palo Alto Networks has confirmed that this vulnerability is being actively exploited in the wild. CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities catalog on May 6, 2026, with a federal remediation deadline of May 9, 2026.
Successful exploitation results in complete compromise of the firewall, enabling attackers to intercept traffic, harvest credentials, perform lateral movement, and execute a full network takeover. The vulnerability only affects firewalls where the User-ID Authentication Portal is explicitly enabled and accessible from untrusted networks. Organizations with internet-facing Authentication Portal services are at significantly higher risk of compromise. Patches are scheduled to begin rolling out on May 13, 2026, with additional fixed versions through May 28, 2026, depending on the PAN-OS branch. Until patches are applied, administrators must rely on mitigations such as restricting portal access to trusted internal IP addresses or disabling the portal entirely.
DailyCVE Form:
Platform: …….
Palo Alto PAN-OS
Version: ……..
<
h2 style=”color: blue;”>10.2.x <10.2.7-h34
Vulnerability :……
Buffer Overflow (CWE-787)
Severity: …….
Critical (CVSS 9.3)
date: ……….
May 6, 2026
Prediction: here you should include expected Patch date.
May 13 / 28, 2026
What Undercode Say:
Analytics:
- Active Exploitation Confirmed: Palo Alto Networks has observed limited exploitation targeting Authentication Portals exposed to untrusted IP addresses and the public internet.
- CISA KEV Addition: Added to CISA Known Exploited Vulnerabilities catalog on May 6, 2026, with FCEB remediation deadline of May 9, 2026.
- CVSS 4.0 Score: 9.3 (Critical) with NETWORK attack vector, zero attack complexity, and no privileges required.
- Exploit Maturity: Classified as ATTACKED with multiple Proof-of-Concept exploits publicly available on GitHub.
- Affected Branches: PAN-OS 10.2 versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6.
- Patch Rollout: First round starting May 13, 2026; second round May 28, 2026.
- Threat Prevention Signature: Available for PAN-OS 11.1 and above as of May 5, 2026.
Bash Commands & Codes:
Check current PAN-OS version via CLI show system info | grep "sw-version" Check if User-ID Authentication Portal is enabled show running-config | grep "user-id" | grep "authentication-portal" Check portal exposure - list configured portal IPs show running-config | grep "authentication-portal" -A 10 Verify if portal is listening on external interfaces show session all | grep "6082" Default portal port Check for suspicious portal activity in logs tail -f /var/log/pan/sslvpn.log | grep -i "portal" Restrict portal access to trusted IPs (example CLI command) set deviceconfig system service authentication-portal allow-list <trusted-IP-range> Disable the Authentication Portal entirely (if not required) set deviceconfig system service authentication-portal disable Query CISA KEV for CVE-2026-0300 curl -s https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json | jq '.vulnerabilities[] | select(.cveID=="CVE-2026-0300")' Scan for internet-exposed portals (using Shodan CLI) shodan search "port:6082 Palo Alto" --fields ip_str,port,org Check for exploitation indicators - unexpected admin account activity grep "admin" /var/log/pan/audit.log | tail -20 Monitor for suspicious outbound connections tcpdump -i any -n "dst net not 10.0.0.0/8 and dst net not 192.168.0.0/16"
Exploit:
The exploit leverages a buffer overflow in the User-ID Authentication Portal service. An unauthenticated remote attacker sends a specially crafted HTTP request or UDP packet to the portal service (typically listening on port 6082). The packet contains an oversized payload that exceeds the allocated buffer size, causing memory corruption and overwriting the return address on the stack. This redirects execution to attacker-controlled shellcode, granting a root reverse shell on the firewall.
Proof-of-Concept (educational use only):
Simplified PoC for CVE-2026-0300 - Do not use on unauthorized systems import socket target = "192.168.1.1" port = 6082 Crafted payload triggering buffer overflow payload = b"A" 1024 + b"\x90" 256 + shellcode Overflow + NOP sled + shellcode sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target, port)) sock.send(payload) sock.close()
Public PoC exploits are available on GitHub (e.g., qassam-315/PAN-OS-User-ID-Buffer-Overflow-PoC, bannned-bit/CVE-2026-0300-PANOS). Given the active exploitation in the wild, organizations must treat any internet-exposed Authentication Portal as an emergency remediation priority.
Protection:
1. Immediate Mitigation (Before Patch):
- Restrict Authentication Portal access to trusted internal IP addresses only.
- Disable the User-ID Authentication Portal entirely if not operationally required.
- Navigate to Device > User Identification > Authentication Portal Settings to check exposure.
2. Apply Patches:
- Upgrade to fixed PAN-OS versions when available:
- PAN-OS 10.2: 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, or 10.2.18-h6.
- PAN-OS 11.1: 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, or 11.1.15.
- PAN-OS 11.2: 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, or 11.2.12.
- PAN-OS 12.1: 12.1.4-h5 or 12.1.7.
3. Additional Defenses:
- Update Threat Prevention signatures (available for PAN-OS 11.1 and above).
- Implement network segmentation and least-privilege access controls.
- Review logs for Indicators of Compromise (unexpected admin activity, suspicious outbound connections, unknown processes).
Impact:
- Complete Device Takeover: Successful exploitation grants attackers full root privileges on the firewall.
- Network Compromise: Attackers can intercept traffic, harvest credentials, and perform lateral movement across the corporate network.
- Data Breach: Confidentiality, integrity, and availability are all compromised at the highest level.
- Operational Disruption: Firewall compromise can lead to service outages, unauthorized configuration changes, and persistent backdoor installation.
- Supply Chain Risk: Compromised perimeter firewalls serve as entry points for broader enterprise-wide attacks.
- Regulatory Consequences: Organizations with exposed portals face increased risk of data breach notifications and compliance violations.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

