Contact us
Contact us

News

About

Home Crypto News Palo Alto PAN-OS captive portal flaw enables root RCE

Palo Alto PAN-OS captive portal flaw enables root RCE

Author Sergio Monpasar
Posted: 6 May 2026, 07:40 CET | Updated: 6 May 2026, 08:29 CET 2 min read

A buffer overflow in PAN-OS User-ID Authentication Portal (CVE-2026-0300) is being exploited in the wild, allowing unauthenticated remote code execution as root on PA- and VM-Series firewalls. Patches begin May 13, 2026.

Palo Alto Networks warned that a critical buffer overflow in the PAN-OS User-ID Authentication Portal, commonly called the captive portal, is being exploited in the wild. The flaw can let unauthenticated attackers send specially crafted packets to the portal and run arbitrary code with root privileges on PA-Series and VM-Series firewalls.

The issue is tracked as CVE-2026-0300. The advisory assigns a CVSS score of 9.3 when the portal is exposed to the internet or any untrusted network and 8.7 when access is limited to trusted internal IP addresses. The advisory states: “A buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.” Reported exploitation has been limited to captive portal instances that were left publicly accessible.

Impacted PAN-OS builds include 12.1 versions prior to 12.1.4-h5 and 12.1.7; 11.2 builds before 11.2.4-h17, 11.2.7-h13, 11.2.10-h6 and 11.2.12; 11.1 builds prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5 and 11.1.15; and 10.2 builds before 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7 and 10.2.18-h6. The advisory says the vulnerability applies only to PA- and VM-Series firewalls configured to use the User-ID Authentication Portal.

Palo Alto Networks has scheduled fixes to begin rolling out on May 13, 2026. Until updates are available, the advisory recommends restricting the User-ID Authentication Portal to trusted zones or disabling it where it is not required. Security teams should verify whether the portal is enabled and reachable from untrusted networks, apply network access restrictions where possible, and review firewall logs for unusual activity.

The User-ID Authentication Portal is used to prompt users for credentials and enforce access policies. Services of this type that accept connections from the internet increase the attack surface, and the advisory identifies publicly exposed portal instances as the focus of the limited exploitation activity.

Tags
Security
Sergio Monpasar
Author

Articles by this author

Panasonic Toughbook launches Elevate partner program in Europe
Panasonic Toughbook launches Elevate partner program in Europe
3 hours ago
Dozen critical vm2 flaws allow sandbox escape
Dozen critical vm2 flaws allow sandbox escape
9 hours ago
WhatsApp fixes two flaws that could load malicious media
WhatsApp fixes two flaws that could load malicious media
2 days ago
North Korea rejects cybercrime claims as DeFi losses rise
North Korea rejects cybercrime claims as DeFi losses rise
3 days ago
How do web3 payments work?
How do web3 payments work?
4 days ago

Latest News

MORE
eBay briefly suspends Ryan Cohen’s eBay seller account

eBay briefly suspends Ryan Cohen’s eBay seller account

2 hours ago 2 min read
One in eight UK workers sold company logins, owners most accepting

One in eight UK workers sold company logins, owners most accepting

3 hours ago 2 min read
Panasonic Toughbook launches Elevate partner program in Europe

Panasonic Toughbook launches Elevate partner program in Europe

3 hours ago 2 min read
Malicious PyPI packages install ZiChatBot via Zulip APIs

Malicious PyPI packages install ZiChatBot via Zulip APIs

4 hours ago 2 min read
MORE