Critical PAN-OS Flaw Allows Unauthenticated Remote Code Execution via Captive Portal

Breaking: Zero-Day Exploit Targets Palo Alto Networks Firewalls

A critical zero-day vulnerability in Palo Alto Networks' PAN-OS software is being actively exploited, allowing unauthenticated attackers to execute arbitrary code remotely. The flaw, tracked as CVE-2026-0300, resides in the User-ID Authentication Portal within the Captive Portal feature.

Critical PAN-OS Flaw Allows Unauthenticated Remote Code Execution via Captive Portal — Source: unit42.paloaltonetworks.com

Unit 42, Palo Alto Networks' threat intelligence team, confirmed the vulnerability is a buffer overflow issue. Attackers can trigger it without any authentication, potentially gaining full control over affected firewalls.

What We Know So Far

The vulnerability was discovered during an ongoing investigation by Unit 42. According to their research, the exploit targets the PAN-OS Captive Portal's authentication mechanism.

Key details:

The flaw is a buffer overflow in the User-ID Authentication Portal.
No authentication is required to trigger the exploit.
Successful exploitation leads to remote code execution (RCE).
Palo Alto Networks has not yet released a patch.

“This is a serious threat to any organization running PAN-OS with Captive Portal enabled,” said a Unit 42 researcher. “We urge immediate mitigation measures.”

Background

Palo Alto Networks' PAN-OS is a widely used firewall operating system. The Captive Portal feature is commonly deployed for guest network access, requiring user authentication via a web portal.

Buffer overflow vulnerabilities arise when a program writes more data to a buffer than it can hold. This flaw allows attackers to overwrite adjacent memory, potentially injecting malicious code.

Unit 42 has observed active exploitation attempts in the wild. The exact scope of affected deployments is unknown, but given PAN-OS's widespread adoption, the risk is significant.

Immediate Risks and Impact

An attacker exploiting CVE-2026-0300 can execute commands on the firewall with root privileges. This could lead to data theft, network compromise, or lateral movement within an organization.

Because the Captive Portal is often exposed to the internet, internal and external attackers can target it. The lack of authentication requirement lowers the barrier for exploitation.

“This zero-day is a ticking bomb for enterprises relying on PAN-OS,” warned a cybersecurity analyst. “We've seen similar flaws lead to full network takeovers.”

What This Means

Organizations using Palo Alto Networks firewalls must treat this as an emergency. Without a patch, they should disable the Captive Portal if possible, or apply strict access controls.

The vulnerability underscores the danger of exposed authentication interfaces. Buffer overflow flaws in network gear have historically become prime targets for ransomware groups and state-sponsored actors.

Unit 42 recommends monitoring for unusual traffic to the Captive Portal endpoint. Internal segmentation and network detection rules can help mitigate attacks.

“This is not just an IT issue—it's a business continuity concern,” added the researcher. “Every hour without a fix increases the risk of a breach.”

Next Steps for Security Teams

Security teams should immediately inventory all PAN-OS systems and verify if Captive Portal is enabled. If possible, disable the feature until a patch is available.

Palo Alto Networks is expected to release an emergency hotfix soon. Administrators should watch for updates and apply them as soon as they become available.

For detailed technical analysis, refer to the full Unit 42 threat brief on CVE-2026-0300. The report includes indicators of compromise and detection methods.

Tags: