Palo Alto PAN-OS CVE-2026-0300: Unauthenticated Root RCE on Captive Portal Exploited in the Wild, No Patch Until May 13

Palo Alto Networks disclosed CVE-2026-0300 on May 6, 2026: an unauthenticated buffer overflow in the User-ID Authentication Portal — better known as the Captive Portal — that lets a remote attacker execute arbitrary code as root on PA-Series and VM-Series firewalls by sending specially crafted packets. The vendor confirms “limited exploitation in the wild” against internet-exposed portals, and the first round of fixed PAN-OS builds is not scheduled to ship until May 13, with a second wave on May 28. That gives a week-plus window in which the perimeter device that is supposed to be inspecting your traffic is itself the soft target.

What happened

The vulnerable code path lives in the Captive Portal authentication service inside the User-ID daemon — the component that intercepts unauthenticated client traffic and prompts for credentials so the firewall can map a username to an IP. A malformed request to that listener overflows a stack buffer before any authentication occurs. There is no preauth check, no rate limit on the affected handler, and the daemon runs as root, so successful exploitation hands the attacker a root shell on the management plane of the firewall itself.

Palo Alto rates the bug CVSS 9.3 when the portal is reachable from the internet or any untrusted network, and 8.7 when restricted to trusted internal IPs. The Captive Portal listens on TCP/6081 and TCP/6082 by default. Shadowserver’s scan of public space currently shows 5,800+ PAN-OS VM-Series instances exposed online — concentrated in Asia-Pacific (≈2,466) and North America (≈1,998) — and Shodan is returning roughly 67 hosts with port 6081 specifically open. Not every exposed firewall is configured to use Captive Portal, but every one of them needs to be checked.

Affected products

The advisory limits impact to PA-Series and VM-Series firewalls running PAN-OS and configured with the User-ID Authentication Portal feature enabled. Prisma Access, Cloud NGFW, and Panorama are not affected. All currently supported PAN-OS trains — 10.2, 11.1, 11.2, and 12.1 — are vulnerable in their pre-fix builds. The User-ID portal is most commonly turned on at organizations that mix BYOD or guest networks with identity-based policy, and at sites that do explicit captive-portal authentication for visitor Wi-Fi or contractor segments.

What attackers are doing

Reporting from watchTowr, Wiz, and the Singapore Cyber Security Agency confirms what Palo Alto’s terse advisory only hints at: at least one cluster of activity is sending crafted packets to publicly reachable Captive Portal endpoints, dropping a small implant on the firewall, and using that foothold to pivot inward. Because the portal sits inside the perimeter from the attacker’s point of view but terminates outside the trust boundary from yours, a root-on-firewall outcome is essentially a perimeter bypass with traffic-inspection privileges thrown in. Anyone holding root on the box can read in-flight credentials, alter NAT rules, dump configuration secrets, or stage Layer-7 implants that survive across reboots.

Mitigations until the patch arrives

Palo Alto is explicit about what to do before May 13:

1. Restrict the User-ID Authentication Portal to trusted zones and internal IP ranges only. Removing the portal from any internet-facing zone collapses the CVSS to 8.7 and, more importantly, removes the only documented exploitation vector.
2. If you don’t actually use Captive Portal, disable it. The feature defaults to off, but it accumulates in environments that turned it on years ago for guest Wi-Fi and never turned it back off.
3. For PAN-OS 11.1 and above, enable the emergency Threat Prevention signature Palo Alto pushed alongside the advisory. It blocks the currently-observed exploit packets at ingress.
4. Audit ports 6081/6082 from the public internet. If they answer from outside your perimeter, treat the device as potentially in scope for active exploitation and pull authentication and management logs going back at least to mid-April.

Indicators to hunt for include unexpected child processes spawning from the User-ID daemon, new outbound connections from the firewall management interface to non-Palo Alto destinations, and configuration changes you didn’t make.

Bottom line

A root-level unauthenticated RCE on the perimeter firewall, with active exploitation and a one-week patch gap, is the kind of disclosure that justifies an out-of-cycle change window. If your PA or VM-Series boxes have Captive Portal enabled and reachable from anything you do not fully trust, treat the workaround as mandatory tonight rather than waiting for the May 13 build to land.

References

• Palo Alto Networks Security Advisory: CVE-2026-0300
• The Hacker News — Palo Alto PAN-OS Flaw Under Active Exploitation
• Help Net Security — Root-level RCE in Palo Alto firewalls exploited
• SecurityWeek — Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls
• Wiz — Critical Buffer Overflow Vulnerability in PAN-OS Exploited in-the-Wild
• watchTowr — Rapid Reaction: Palo Alto PAN-OS Buffer Overflow CVE-2026-0300
• CSA Singapore — Active Exploitation of Palo Alto Networks PAN-OS software