Skip to content

Security Sense

AI Threat Intelligence

  • About
  • Blog
  • Privacy Policy

CVE-2026-0300: PAN-OS User-ID Authentication Portal RCE Vulnerability

Posted on May 15, 2026 by Kyle

Overview

CVE-2026-0300 is a critical out-of-bounds write vulnerability affecting Palo Alto Networks PAN-OS software. This flaw in the User-ID™ Authentication Portal (Captive Portal) service permits an unauthenticated attacker to execute arbitrary code with root privileges on vulnerable PA-Series and VM-Series firewalls. Its high severity (CVSS 9.8) and potential for unauthenticated remote code execution make it a significant threat, especially if the Captive Portal is internet-facing and not properly secured.

Technical Analysis

  • Vulnerability: CVE-2026-0300, an out-of-bounds write (CWE-787), specifically described as a buffer overflow.
  • Affected Service: User-ID™ Authentication Portal (also known as Captive Portal) service.
  • Attack Vector: An unauthenticated attacker can execute arbitrary code by sending specially crafted packets to the vulnerable service.
  • Impact: Arbitrary code execution with root privileges on the affected firewall.
  • Affected Products: Palo Alto Networks PAN-OS versions 10.2.0 through 10.2.9.
  • Unaffected Products: Prisma Access, Cloud NGFW, and Panorama appliances are not impacted by this vulnerability.
  • Prerequisites: The User-ID™ Authentication Portal must be enabled and accessible to the attacker. The risk is significantly reduced if access to the portal is restricted to trusted internal IP addresses.

Detection

  • Monitor firewall logs for unusual connection attempts or traffic patterns directed at the User-ID Authentication Portal service.
  • Look for unexpected process creation or command execution originating from the firewall’s operating system, particularly with root privileges.
  • Analyze network traffic for specially crafted packets targeting the Captive Portal, though specific signatures may not be publicly available at the time of writing.
  • Hunt for signs of post-exploitation activity, such as outbound connections to unknown external IPs, unusual file modifications, or attempts to establish persistence.
  • Review system logs for crashes or restarts of the User-ID or Captive Portal services that might indicate exploitation attempts.

Mitigations

  1. Restrict Access: Immediately restrict access to the User-ID™ Authentication Portal (Captive Portal) to only trusted internal IP addresses. This is the primary recommended mitigation to significantly reduce exposure, as highlighted in Palo Alto Networks’ best practice guidelines.
  2. Apply Patches: Apply vendor-provided patches for CVE-2026-0300 as soon as they become available for your specific PAN-OS version. No specific patch versions were provided in the source material, but updates should be prioritized.
  3. Network Segmentation: Isolate firewalls running vulnerable PAN-OS versions from untrusted networks where possible to limit attack surface.
  4. Monitor Firewall Activity: Implement robust monitoring for all firewall management interfaces and services, including the Captive Portal, to detect anomalous behavior.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2026-0300
  • https://security.paloaltonetworks.com/CVE-2026-0300
  • https://cert-portal.siemens.com/productcert/html/ssa-967325.html
  • https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-0300
  • https://knowledgebase.paloaltonetworks.com/KCSArticleDetail
  • https://unit42.paloaltonetworks.com/captive-portal-zero-day/

Indicators of Compromise

Type Value Description
SHA256 e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 EarthWorm payload hash (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/)
IP Address 136.0.8.48 Attacker IP (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/)
IP Address 146.70.100.69 C2 staging server (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/)
IP Address 149.104.66.84 Attacker IP (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/)
IP Address 67.206.213.86 Attacker IP (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/)
URL http://146.70.100.69:8000/php_sess EarthWorm download URL (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/)

MITRE ATT&CK

  • T1190 — Exploit Public-Facing Application
  • T1059 — Command and Scripting Interpreter
  • T1068 — Exploitation for Privilege Escalation
  • T1498.001 — Direct Network Flood
  • T1087.002 — Domain Account
  • T1021.004 — SSH
  • T1071 — Application Layer Protocol
  • T1055 — Process Injection
  • T1572 — Protocol Tunneling
  • T1070.001 — Clear Windows Event Logs
  • T1016 — System Network Configuration Discovery
  • T1090 — Proxy
  • T1098 — Account Manipulation
  • T1562.001 — Disable or Modify Tools
  • T1078 — Valid Accounts
  • T1078.002 — Domain Accounts
  • T1070.004 — File Deletion
  • T1071.001 — Web Protocols
  • T1018 — Remote System Discovery
  • T1105 — Ingress Tool Transfer
  • T1021.001 — Remote Desktop Protocol
🤖 AI Attribution
Generated by gemini-2.5-flash ·
1,802 input / 1,120 output tokens ·
Reviewed and approved by a human analyst before publication

Post navigation

WordPress Funnel Builder Plugin Vulnerability Actively Exploited for Credit Card Theft

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Proudly powered by WordPress | Theme: micro, developed by DevriX.