7 Critical Facts About the PAN-OS Captive Portal Zero-Day (CVE-2026-0300)

In early 2026, a new zero-day vulnerability rocked the cybersecurity world: CVE-2026-0300, a buffer overflow flaw in Palo Alto Networks' PAN-OS operating system. Discovered and detailed by Unit 42, this vulnerability targets the User-ID Authentication Portal—commonly known as the captive portal—and allows an unauthenticated attacker to execute arbitrary code remotely. The threat is severe, with exploitation already observed in the wild. Below, we break down the seven most important things you need to know about this critical vulnerability and how to defend against it.

1. What Is the Vulnerability?

At its core, CVE-2026-0300 is a classic buffer overflow vulnerability residing in the captive portal component of PAN-OS. When the portal processes certain malformed data packets, it fails to properly validate input length, causing memory corruption. This overflow can be triggered without any authentication—meaning an attacker simply needs network access to the captive portal's listening port (typically TCP 8080 or 8888). The flaw affects both the User-ID agent and the authentication portal itself, making it a high-risk entry point for lateral movement inside a network.

7 Critical Facts About the PAN-OS Captive Portal Zero-Day (CVE-2026-0300) — Source: unit42.paloaltonetworks.com

2. Impact: Unauthenticated Remote Code Execution

The most alarming aspect of CVE-2026-0300 is its potential for full system compromise. Because the overflow occurs in a kernel-level service, a successful exploit grants the attacker the same privileges as the PAN-OS operating system—usually root. From there, they can install backdoors, exfiltrate data, or pivot to other devices. No user interaction or valid credentials are required. Unit 42 confirmed that remote code execution (RCE) is achievable with carefully crafted network packets, making this a true zero-click threat.

3. Which PAN-OS Versions Are Affected?

According to the advisory released alongside Unit 42's disclosure, all versions of PAN-OS that include the captive portal functionality and are released before the patch are vulnerable. Specifically, PAN-OS 9.0.x, 9.1.x, 10.0.x, and 10.1.x are confirmed to be exposed if the User-ID Authentication Portal is enabled. Palo Alto Networks recommends checking the official security bulletin for a complete list of version ranges. If your organization uses the captive portal for guest Wi-Fi or employee authentication, you are likely at risk.

4. How Does the Exploit Work?

Exploitation is surprisingly straightforward. The attacker sends a series of specially crafted HTTP requests to the captive portal's authentication endpoint. These requests contain oversized strings in specific parameters—such as the username or session ID—that overflow a fixed-size buffer. Once the buffer is overrun, the attacker can overwrite critical memory structures and redirect execution to shellcode delivered in the same payload. Unit 42's analysis indicates that exploit tools are already circulating in underground forums, lowering the barrier for even novice attackers.

5. Discovery and Responsible Disclosure

Unit 42, the threat intelligence arm of Palo Alto Networks, identified the vulnerability during a routine threat-hunting operation. They traced suspicious network traffic to a customer's PAN-OS firewall and reverse‑engineered the malicious payload. After confirming the zero-day nature of the flaw, Unit 42 followed responsible disclosure practices, working closely with the PAN-OS product security team. A patch was released within hours of the discovery, and the advisory was published after a reasonable remediation window to protect customers while still informing the broader security community.

6. Mitigation Steps and Workarounds

The primary mitigation is to apply the official security hotfix provided by Palo Alto Networks. For administrators who cannot immediately patch, a workaround exists: disable the captive portal functionality if it is not essential. This can be done by removing the User-ID Authentication Portal configuration or by blocking inbound traffic to the captive portal ports at the network level using ACLs. Additionally, enabling logging and monitoring for abnormal traffic patterns—especially repeated large HTTP requests—can help detect exploitation attempts. Palo Alto Networks has also released a virtual patch for its Next-Generation Firewalls running Threat Prevention subscriptions.

7. Indicators of Compromise (IOCs)

To identify whether your environment has been targeted, watch for the following signs:

Unusual HTTP requests containing long strings (more than 2048 bytes) to the captive portal endpoint.
System crashes or restarts on the firewall appliance, possibly from a buffer overflow triggering a kernel panic.
Outbound connections from the firewall to unknown IP addresses—indicating a reverse shell or data exfiltration.
Suspicious files written to the /tmp or /var/log directories of the PAN-OS device.

Unit 42 recommends inspecting logs from the User-ID and Captive Portal modules for any anomalies. Correlate these with network flows to catch post-exploitation activity.

Conclusion

CVE-2026-0300 represents a serious threat to any organization using Palo Alto Networks firewalls with captive portal features. The combination of unauthenticated remote code execution and active exploitation demands immediate attention. By understanding the vulnerability, applying the patch, and monitoring for IOCs, defenders can significantly reduce their risk. Unit 42 continues to track this threat and will update its guidance as new information emerges.

Tags: