~/home/news/palo-alto-networks-pan-os-2026-05-08
newsFriday, May 8, 20268 min read👁 5 views

Palo Alto Networks PAN-OS Zero-Day (CVE-2026-0300) Exploited in the Wild - Critical RCE Threat

A critical buffer-overflow (CVE-2026-0300) in PAN-OS User-ID Authentication (Captive) Portal enables unauthenticated remote code execution with root privileges. State-sponsored actors have been exploiting internet-exposed PA-Series and VM-Series firewalls for almost a month, and patches are slated for May 13.

PAN-OSZero-DayRCEFirewall

Overview/Introduction

On May 6, 2026 Palo Alto Networks disclosed a critical-severity, unpatched vulnerability in its PAN-OS User-ID Authentication Portal (often called the Captive Portal). Identified as CVE-2026-0300, the flaw is a classic buffer-overflow that grants unauthenticated attackers full root access to any PA-Series or VM-Series firewall that exposes the portal to untrusted networks. Threat-intelligence feeds and the Cybersecurity and Infrastructure Security Agency (CISA) have confirmed that the vulnerability is already being weaponised in the wild, with indications pointing to a state-sponsored threat group.

Technical Details

The vulnerability resides in the code path that processes HTTP requests to the User-ID Authentication Portal. A malformed packet can overflow a fixed-size buffer, overwriting adjacent memory structures and allowing arbitrary code execution. Because the portal runs with root privileges, the attacker gains complete control over the firewall’s operating system.

  • CVE Identifier: CVE-2026-0300
  • CVSS v3.1 Base Score: 9.3 (Critical)
  • Vulnerable Components: PAN-OS User-ID Authentication Portal (Captive Portal) on PA-Series and VM-Series firewalls.
  • Attack Vector: Network-based. An unauthenticated remote attacker sends specially crafted HTTP packets to the portal’s listening port (default 443/80 depending on configuration).
  • Exploitation Method: The attacker triggers the overflow, injects a ROP chain, and executes a payload that spawns a root shell. In observed wild activity, the payload subsequently downloads and runs open-source tools such as Earthworm (covert channel) and ReverseSocks5 (outbound proxy tunnelling).

Unit 42’s tracking identifier for the observed campaign is CL-STA-1132. The group’s tactics include immediate log sanitisation-deleting nginx crash logs, core dump files, and other forensic artefacts-to evade detection.

Impact Analysis

The impact is severe for any organization that hosts a PA-Series or VM-Series firewall with the Authentication Portal reachable from the internet or any untrusted IP range. Once compromised, the attacker can:

  • Modify firewall policies, effectively allowing traffic that bypasses security controls.
  • Install persistent backdoors (e.g., ReverseSocks5) for long-term access.
  • Exfiltrate data traversing the firewall or pivot to internal networks.
  • Disrupt network operations by altering routing or NAT tables.

Shadowserver’s scans on May 5 reported more than 5,800 publicly exposed VM-Series firewalls, with the majority in Asia (≈2,466) and North America (≈1,998). The exact number of PA-Series devices exposed is undisclosed, but the scale suggests a broad attack surface.

Timeline of Events

  • April 9, 2026: First unsuccessful exploitation attempts observed against a PAN-OS device.
  • April 16, 2026: Successful RCE achieved; attackers inject shellcode and begin log cleanup.
  • Early May 2026: Palo Alto Networks receives reports of limited exploitation and begins internal investigation.
  • May 6, 2026: Public advisory released warning of active exploitation (BleepingComputer, CyberScoop).
  • May 7, 2026: Additional coverage confirms state-sponsored activity and details of post-exploitation tools.
  • May 13, 2026 (planned): Palo Alto Networks to release initial patches and mitigation guidance.

Mitigation/Recommendations

Until the official patches are available, the following steps are strongly recommended:

  1. Restrict Portal Access: Limit the User-ID Authentication Portal to trusted internal zones or specific IP ranges using firewall policies. The setting can be verified under Device → User Identification → Authentication Portal Settings → Enable Authentication Portal.
  2. Disable the Portal: If the captive portal is not essential for your environment, turn it off entirely.
  3. Network Segmentation: Place management interfaces on isolated VLANs and enforce multi-factor authentication for any administrative access.
  4. Patch Management: Apply the May 13 updates as soon as they are released. Verify the firmware version includes the fix for CVE-2026-0300.
  5. Monitoring: Deploy IDS/IPS signatures for the known exploitation payloads (Earthworm, ReverseSocks5) and enable detailed logging of portal traffic.
  6. Incident Response: Conduct a forensic sweep of any firewall that may have been exposed. Look for signs of log tampering, unexpected processes, and unknown binaries in /etc/ or /usr/local/bin.

Real-World Impact

For enterprises, especially those in regulated sectors (finance, healthcare, critical infrastructure), a compromised firewall can invalidate compliance attestations (PCI-DSS, HIPAA, NIST). An attacker with root on the firewall can silently exfiltrate sensitive traffic, manipulate VPN tunnels, or use the device as a launchpad for lateral movement. The use of Earthworm indicates a focus on stealthy command-and-control, while ReverseSocks5 provides a reliable outbound tunnel that can bypass egress filtering.

SMBs that have unintentionally published their VM-Series firewalls to the internet are at particular risk; the average time to detect a breach in such environments is >90 days, giving attackers ample time to entrench.

Expert Opinion

From a strategic standpoint, CVE-2026-0300 underscores a growing trend: attackers are shifting focus from traditional endpoint exploits to network-infrastructure devices that sit at the apex of an organization’s security stack. Firewalls are no longer just packet filters; they are full-blown operating systems with rich management APIs, making them attractive high-value targets.

The rapid disclosure by Palo Alto Networks-while commendable for giving defenders a window to apply mitigations-also highlights the need for a more proactive “defense-in-depth” posture. Organizations should treat any service exposed to the internet, even an internal authentication portal, as a potential attack surface and enforce zero-trust networking principles.

Looking ahead, we can expect threat actors to weaponise similar buffer-overflow bugs in other next-generation firewalls (NGFWs) and SD-WAN appliances. The industry must accelerate secure-by-design development, improve bug-bounty coverage for network devices, and push for faster patch cycles. In the meantime, immediate network-level hardening and vigilant monitoring are the only practical defenses against this zero-day.