Active Exploitation of PAN-OS Captive Portal Flaw Gives Attackers Root on Firewalls
Palo Alto Networks disclosed CVE-2026-0300, a critical buffer overflow in the PAN-OS User-ID Authentication Portal (also called the Captive Portal) that is being exploited in the wild to achieve unauthenticated remote code execution with root privileges. The flaw is an out-of-bounds write triggered by specially crafted packets and affects exposed PA-Series and VM-Series firewalls running multiple PAN-OS 10.2, 11.1, 11.2, and 12.1 versions. Palo Alto assigned the issue a CVSS 9.3 when the portal is reachable from the public internet or other untrusted networks, and 8.7 when access is limited to trusted internal IP addresses.
The company said observed attacks have focused on Authentication Portal instances exposed to untrusted IP addresses, while Prisma Access, Cloud NGFW, and Panorama are not affected. At disclosure, fixes were not yet broadly available, with patch releases scheduled to begin in mid-May and continue through late May 2026. Palo Alto urged customers to immediately restrict portal access to trusted zones or internal IPs, or disable the Authentication Portal if it is not required, and said a Threat Prevention Signature for PAN-OS 11.1 and later was released as an added mitigation layer.
How this story unfolded
6 events from the earliest known activity through the most recent confirmed update.
Palo Alto links CVE-2026-0300 exploitation to CL-STA-1132 activity
Palo Alto Networks said suspected state-sponsored cluster CL-STA-1132 began attempting to exploit CVE-2026-0300 on April 9, 2026, and achieved successful remote code execution about a week later by injecting shellcode into an nginx worker process. The company also described post-exploitation behavior including log deletion, Active Directory enumeration, and deployment of EarthWorm and ReverseSocks5 on a second device by April 29.
Palo Alto releases Threat Prevention Signature for CVE-2026-0300
Palo Alto Networks released a Threat Prevention Signature for PAN-OS 11.1 and later as a mitigation for CVE-2026-0300. The signature was made available ahead of full software patches to help reduce exploitation risk.
Palo Alto discloses CVE-2026-0300 under active exploitation
Palo Alto Networks disclosed CVE-2026-0300, a critical unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal that can lead to remote code execution with root privileges. The company said the flaw is being exploited in the wild, particularly against internet-exposed or otherwise untrusted portal deployments.
Palo Alto announces patch rollout schedule for affected PAN-OS versions
Alongside the disclosure, Palo Alto said fixes for affected PAN-OS 10.2, 11.1, 11.2, and 12.1 versions would begin rolling out between May 13 and May 28, 2026. Until patches are available, customers were advised to restrict portal access to trusted internal IPs or disable the Authentication Portal if unused.
CISA adds CVE-2026-0300 to Known Exploited Vulnerabilities catalog
CISA added Palo Alto Networks PAN-OS CVE-2026-0300 to its Known Exploited Vulnerabilities Catalog, formally recognizing the flaw as exploited in the wild. The agency directed organizations to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations were unavailable.
CISA sets May 9 remediation deadline for CVE-2026-0300
After adding CVE-2026-0300 to the KEV catalog, CISA required Federal Civilian Executive Branch agencies to remediate the actively exploited Palo Alto PAN-OS flaw by May 9, 2026, under Binding Operational Directive 22-01. The agency urged immediate mitigations because vendor patches were still pending.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
28 references tracked. Mallory keeps watching after this page renders.
CL-STA-1132 Weaponizes PAN-OS RCE for Silent Root-Level Takeovers - SecPod Blog
secpod.com
Open sourceWarning: Critical Remote Code Execution vulnerability in Palo Alto PAN-OS User-ID Authentication Portal, Apply patches as soon as available! | CCB Belgium
ccb.belgium.be
Open sourceNation-state actors exploit Palo Alto PAN-OS zero-day for weeks
securityaffairs.com
Open sourcePalo Alto Networks says patch for exploited PAN-OS firewall bug forthcoming | news | SC Media
scworld.com
Open sourceCISA Warns of Palo Alto PAN-OS Vulnerability Exploited to Gain Root Access
cybersecuritynews.com
Open sourcePAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage
thehackernews.com
Open sourceU.S. CISA adds a flaw in Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceState-sponsored hackers likely behind zero-day attacks on Palo Alto firewalls - Help Net Security
helpnetsecurity.com
Open sourceCritical Palo Alto Networks software bug hits exposed firewalls | CSO Online
csoonline.com
Open sourceA critical Palo Alto PAN-OS zero-day is being exploited in the wild | CyberScoop
cyberscoop.com
Open sourcePalo Alto Networks warns of critical PAN-OS vulnerability exploited in the wild | brief | SC Media
scworld.com
Open sourcePalo Alto Networks security advisory (AV26-425) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-0300: PAN-OS Zero-Day Exposes Firewalls
socprime.com
Open sourceCVE-2026-0300: PAN-OS Zero-Day Exposes Firewalls
socprime.com
Open sourceCVE-2026-0300 Buffer Overflow Vulnerability In PAN-OS
thecyberexpress.com
Open sourcePalo Alto Networks PAN-OS flaw exploited for remote code execution
securityaffairs.com
Open sourcePalo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution
thehackernews.com
Open sourceCritical Palo Alto Firewalls Vulnerability Exploited in the Wild to Gain Root Access
cybersecuritynews.com
Open sourceAdd CVE-2026-0300 PAN-OS Captive Portal detection template by rxerium · Pull Request #16121 · projectdiscovery/nuclei-templates · GitHub
github.com
Open sourceCERT-EU - Critical Vulnerability in PAN-OS
cert.europa.eu
Open sourceCritical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300)
rapid7.com
Open sourceAdd Updated KEV Files for 2026-05-06 · cisagov/kev-data@7075827 · GitHub
github.com
Open sourcePalo Alto Firewalls Being Exploited; No Patch Yet Available
bankinfosecurity.com
Open sourceCISA Adds One Known Exploited Vulnerability to Catalog | CISA
cisa.gov
Open sourceCVE-2026-0300 - PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal
cvefeed.io
Open sourcePalo Alto Networks Warns of Actively Exploited PAN-OS Zero-Day Granting Root Access
darkwebinformer.com
Open sourceCVE-2026-0300 - Critical PAN-OS Buffer Overflow Bug - TheCyberThrone
thecyberthrone.in
Open sourceRoot-level RCE vulnerability in Palo Alto firewalls exploited (CVE-2026-0300) - Help Net Security
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Palo Alto PAN-OS Authentication Bypass Exposes CAS-Enabled Firewalls and Panorama
Palo Alto Networks released security advisories for multiple **PAN-OS** branches after disclosing several serious flaws, including `CVE-2026-0265`, an authentication bypass caused by a signature verification weakness when **Cloud Authentication Service (CAS)** is enabled and attached to a login interface. The issue affects **PA-Series**, **VM-Series**, and **Panorama** deployments, while **Cloud NGFW** and **Prisma Access** are not affected. Palo Alto also warned of a heap-based buffer overflow in the DNS Proxy and DNS Server that could enable unauthenticated remote code execution, as well as a separate remote code execution flaw in **IKEv2** processing across supported releases including 12.1, 11.2, 11.1, and 10.2. The Canadian Centre for Cyber Security urged administrators to review Palo Alto’s advisories, apply mitigations, and install updates, with fixes already issued for many affected versions and additional patches expected for some branches. Rapid7 said organizations using CAS should prioritize emergency patching rather than depend on workarounds, while researcher Harsh Jaiswal of HacktronAI publicly claimed successful exploitation of the authentication bypass against multiple companies’ **GlobalProtect** portals to obtain VPN access; Palo Alto had not confirmed in-the-wild exploitation as of May 14.
May 14, 2026
Critical Cisco Secure Email Gateway and PAN-OS Flaws Expose Perimeter Devices
Cisco disclosed a **critical vulnerability** in Secure Email Gateway appliances running affected `AsyncOS` versions when inbound mail rules use **File Analysis** (`Cisco AMP`) or **Content Filter** features and the bundled **Content Scanner Tools** are older than `23.3.0.4823`. Successful exploitation can let an attacker overwrite files at the operating-system level, enabling **root-level account creation**, configuration changes, arbitrary code execution, and denial of service. Cisco released software updates and said no alternative mitigations are available. Palo Alto Networks also issued fixes for a **serious PAN-OS management interface flaw** that allows an unauthenticated attacker to execute certain PHP scripts and affect the **integrity and confidentiality** of the firewall, though the vendor said it does not permit arbitrary remote code execution. Exploitation attempts have already been observed and proof-of-concept code is public, increasing urgency for exposed management interfaces. Palo Alto said **Cloud NGFW** and **Prisma Access** are not affected, while `PAN-OS 11.0` is out of support and will not receive a patch.
Apr 27, 2026
Critical Palo Alto GlobalProtect Command Injection Led to Active Exploitation
A critical command injection flaw in **Palo Alto Networks GlobalProtect** exposed internet-facing devices running affected `PAN-OS` versions to unauthenticated remote code execution with **root-level access**. Palo Alto confirmed the vulnerability was being exploited in the wild, and **CISA** added it to the **Known Exploited Vulnerabilities (KEV)** catalog. The issue affected systems with GlobalProtect enabled on `PAN-OS 10.2`, `11.0`, and `11.1`, and public proof-of-concept exploit code increased the urgency for defenders to patch. Finland’s National Cyber Security Centre said it issued a serious warning after receiving the first breach notifications tied to the flaw and identified several hundred potentially vulnerable Palo Alto devices in domestic networks. About 15 incident reports related to Palo Alto devices were received, though no more serious breach cases were identified. Early vendor guidance that disabling telemetry could mitigate risk was later deemed insufficient, prompting a shift to immediate patching; fixes were released for supported branches including `10.2.9-h1`, `11.0.4-h1`, and `11.1.2-h3`, after which the Finnish warning was withdrawn as the threat subsided.
Apr 27, 2026