Palo Alto Networks has confirmed active exploitation of CVE-2026-0300, an unauthenticated buffer overflow in the User-ID Authentication Portal (the feature most operators still call “Captive Portal”) that grants attackers arbitrary code execution as root on PA-Series and VM-Series firewalls. CISA added the bug to its Known Exploited Vulnerabilities catalog on May 6 with a federal remediation deadline of May 9, 2026. The vendor’s software fix isn’t expected until May 13 — leaving every internet-exposed Palo Alto firewall in a four-day patch gap that has to be closed by configuration alone.

What happened

The flaw lives in PAN-OS code that parses requests destined for the captive portal — the HTTPS landing page firewalls present to users for authentication and policy mapping. A specially crafted packet to the portal triggers a heap buffer overflow before any authentication check fires. Successful exploitation drops a shell running as root on the data plane.

Palo Alto Unit 42 traced the earliest probes back to April 9, 2026. Initial attempts failed; a week later the same actor cleared the bar and achieved RCE, then injected shellcode and pivoted into the customer’s network. Post-exploitation tooling pulled from the affected boxes is unsubtle and well-known: EarthWorm and ReverseSocks5 for tunneling, Active Directory enumeration with credentials harvested out of the firewall configuration, and a methodical log-cleanup pass — kernel crash messages wiped, nginx crash logs and core dumps deleted. If you’ve already been hit, the absence of crash artifacts on a device that ought to have them is itself a tell.

Severity and scope

  • CVSS 9.3 when the captive portal is reachable from the internet or any untrusted segment.
  • CVSS 8.7 if portal access is constrained to trusted internal IPs.
  • Affected: PA-Series hardware firewalls and VM-Series virtual firewalls running PAN-OS, when User-ID Authentication Portal is enabled.
  • Not affected: Prisma Access, Cloud NGFW, and Panorama management appliances — the vulnerable code path is data-plane-only.

This is the same general blast radius as the 2024 PAN-OS GlobalProtect zero-day (CVE-2024-3400): perimeter device, unauthenticated, root, and adversaries who already know the playbook for what to do once they’re inside a firewall’s management plane.

Mitigations until May 13

Patches won’t be available until next Wednesday. Until then, every PAN-OS operator with the captive portal feature enabled needs to do at least one of the following, ranked by preference:

  1. Disable the User-ID Authentication Portal entirely if it isn’t load-bearing for your auth posture. Most environments using GlobalProtect or Cloud Identity Engine for user-to-IP mapping don’t actually need captive portal.
  2. Restrict the portal to trusted zones only. Remove it from any L3 interface that can ingress untrusted or internet traffic.
  3. Disable Response Pages in the Interface Management Profile attached to every L3 interface in untrusted zones — keep them enabled only on internal-facing interfaces. The vulnerable parsing path is reached through response page handling.
  4. Threat Prevention signature. Customers with a Threat Prevention subscription can enable Threat ID 510019 (Applications and Threats content 9097-10022 or later). Note this requires PAN-OS 11.1 or newer for decoder support — older trains can’t load the rule.

Patches are scheduled to land on May 13, 2026. Do not assume they’ll be ready early; Palo Alto’s last few security releases have shipped exactly on the announced date.

Detection

Hunt for the post-exploit residue Unit 42 has documented:

  • Sustained crash-log gaps on devices that previously logged normally — particularly missing /var/log/nginx/ crash entries and absent kernel crash dumps.
  • Outbound connections from the firewall management plane to addresses you’ve never authorized, especially on ports consistent with EarthWorm or ReverseSocks5 (frequently 8080, 8443, or non-standard high ports).
  • AD enumeration traffic originating from the firewall’s data plane interfaces — LDAP queries, Kerberos pre-auth requests, SMB enumeration — that don’t match the device’s legitimate User-ID agent activity.
  • Anomalous successful POSTs to captive portal URLs from external IPs, especially ones that previously generated 4xx errors.

If you find any of the above, treat the firewall itself as fully compromised: rotate every credential the device touched (RADIUS shared secrets, AD service accounts, SNMP communities, API keys, GlobalProtect SAML signing certs), pull a configuration snapshot for forensics, and rebuild from a known-clean image.

What this means

Two things stand out beyond the immediate firefight. First, the four-day gap between KEV deadline and patch availability puts FCEB agencies into a position where the only compliant path is to disable a perimeter authentication feature in production. That’s a clear signal that CISA considers configuration mitigations sufficient — and an implicit acknowledgment that not mitigating is the larger risk. Second, the post-exploitation toolkit Unit 42 observed (EarthWorm, ReverseSocks5, AD enumeration, log wipe) is essentially the Volt Typhoon playbook. Whether or not the same actor is behind these intrusions, the operational pattern is now generic enough that any cluster of activity matching it should be treated as state-aligned until proven otherwise.

References