Critical PAN-OS Zero-Day Vulnerability CVE-2026-0300: Unauthenticated RCE in Captive Portal
Overview of CVE-2026-0300
Unit 42 researchers have disclosed a critical zero-day vulnerability, tracked as CVE-2026-0300, affecting the PAN-OS User-ID Authentication Portal (also known as the Captive Portal). This flaw enables an unauthenticated attacker to execute arbitrary code remotely, posing a severe risk to organizations using Palo Alto Networks firewalls. The vulnerability stems from a buffer overflow in the portal's handling of network traffic, allowing malicious packets to overwrite memory and inject malicious payloads.
Technical Details
Buffer Overflow Mechanism
A buffer overflow occurs when a program writes more data to a fixed-length memory buffer than it can hold. In the case of PAN-OS Captive Portal, specially crafted requests sent to the authentication service can overflow an internal buffer. This corrupts adjacent memory regions, potentially overwriting function pointers or control data. As a result, an attacker can redirect execution flow to arbitrary code of their choice.
Attack Vector
The vulnerability is exploitable over the network without requiring any prior authentication. An attacker can send malicious packets directly to the Captive Portal service, which typically listens on standard ports (e.g., TCP 6082). If successful, the attacker gains code execution with the privileges of the PAN-OS system process, often leading to full compromise of the firewall. No user interaction is needed.
Affected Versions
Palo Alto Networks has confirmed that the following PAN-OS versions are impacted by CVE-2026-0300:
- PAN-OS 10.2.x prior to 10.2.9
- PAN-OS 11.0.x prior to 11.0.6
- PAN-OS 11.1.x prior to 11.1.3
Organizations running these versions should treat the vulnerability as critical and apply patches immediately. The issue does not affect PAN-OS 9.1 or earlier branches, as the Captive Portal feature was introduced later.
Impact Assessment
The CVSS score for CVE-2026-0300 is 9.8 (Critical), reflecting its ease of exploitation and potential for full system compromise. An attacker gaining remote code execution on a firewall can:
- Modify firewall rules to allow malicious traffic
- Intercept and decrypt VPN connections
- Deploy persistent backdoors or ransomware
- Exfiltrate sensitive network configurations
Given the prevalence of Palo Alto firewalls in enterprise and government networks, this vulnerability represents a significant threat to critical infrastructure and data security.
Mitigation and Remediation
Patch Deployment
Palo Alto Networks has released hotfixes for the affected versions. The following are the fixed versions:
- PAN-OS 10.2.9
- PAN-OS 11.0.6
- PAN-OS 11.1.3
Organizations should prioritize patching their firewalls as soon as possible, especially if the Captive Portal is enabled. Refer to the patch availability section for direct download links.
Workarounds
If immediate patching is not feasible, administrators can reduce risk by:
- Disabling the Captive Portal service if not required for operations
- Restricting network access to the Captive Portal interface using access control lists (ACLs)
- Enabling intrusion prevention system (IPS) signatures to detect exploitation attempts (signatures available via Threat Prevention)
Note that disabling the Captive Portal may impact user authentication workflows; test changes in a controlled environment first.
Detection Indicators
Unit 42 has released IOCs (Indicators of Compromise) for CVE-2026-0300. Monitor firewall logs for abnormal amounts of traffic to the Captive Portal port (6082) or unexpected crashes/restarts. Additionally, check for unknown processes or unauthorized outbound connections from the firewall management interface. Sample IOCs include specific packet patterns that trigger the buffer overflow.
Patch Availability
Palo Alto Networks customers can download the hotfixes from the support portal:
Conclusion
CVE-2026-0300 is a critical zero-day vulnerability that demands immediate attention from all organizations using PAN-OS with Captive Portal enabled. The combination of unauthenticated remote code execution and widespread deployment makes it a prime target for threat actors. By applying patches, implementing workarounds, and monitoring for indicators, security teams can protect their networks until full remediation is complete. Unit 42 continues to analyze exploitation in the wild and will update guidance as new information emerges.