Palo Alto Networks Discloses PAN-OS Captive Portal Zero-Day Exploited by State-Sponsored Group
Palo Alto Networks disclosed CVE-2026-0300, a critical buffer overflow in the PAN-OS Captive Portal allowing unauthenticated remote code execution, with limited exploitation by a likely state-sponsored threat cluster tracked as CL-STA-1132.
On May 6, 2026, Palo Alto Networks issued an urgent security advisory for CVE-2026-0300, a buffer overflow vulnerability in the User-ID Authentication Portal (Captive Portal) of PAN-OS. The flaw allows an unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted network packets. Unit 42, Palo Alto Networks' threat intelligence arm, is tracking limited exploitation by a cluster of likely state-sponsored threat activity designated CL-STA-1132.
The vulnerability resides in the Captive Portal service, which handles user authentication and redirection. A specially crafted packet triggers a buffer overflow, enabling the attacker to inject and execute shellcode. Critically, the exploit does not require authentication, and successful compromise grants root-level access to the firewall. While Prisma Access, Cloud NGFW, and Panorama appliances are unaffected, the risk is significantly elevated when the User-ID Authentication Portal is exposed to the public internet or untrusted networks.
Unit 42 reports that exploitation attempts began on April 9, 2026, with initial failures. A week later, attackers successfully achieved RCE on a PAN-OS device and injected shellcode into an nginx worker process. Immediately after compromise, the attackers conducted extensive log cleanup, clearing crash kernel messages, deleting nginx crash entries and records, and removing core dump files to evade detection. Four days later, they deployed several tools with root privileges.
Post-exploitation activity included deployment of publicly available tunneling tools: EarthWorm and ReverseSocks5. EarthWorm is an open-source network tunneling tool that establishes SOCKS5 proxy tunnels for covert communication, while ReverseSocks5 creates outbound connections from the target to an attacker-controlled server, bypassing firewalls and NAT. The attackers also enumerated Active Directory using credentials likely obtained from the firewall, targeting domain root and DomainDnsZones. They deleted ptrace injection evidence from audit logs and removed a SetUserID privilege escalation binary.
On April 29, 2026, the attackers conducted a Security Assertion Markup Language (SAML) flood against) flood against the initially compromised device, promoting a second device to Active and inheriting the same internet-facing traffic. RCE was then achieved on the second device, where EarthWorm and ReverseSocks5 were downloaded. EarthWorm has been previously associated with threat actors including Volt Typhoon, APT41, and others.
Palo Alto Networks has released patches and mitigations for CVE-2026-0300. Customers are advised to restrict User-ID Authentication Portal access to trusted internal IP addresses and disable Response Pages on interfaces exposed to untrusted networks. If the portal is not required, it should be disabled entirely. Customers with Advanced Threat Prevention subscriptions can block attacks for this vulnerability by enabling the relevant threat prevention signatures. Cortex Xpanse can identify exposed instances potentially vulnerable to CVE-2026-0300. 0300.
The disclosure of CVE-2026-0300 underscores the persistent risk posed by zero-day vulnerabilities in widely deployed network security appliances. The involvement of a state-sponsored threat actor highlights the strategic value of such devices as initial access points into enterprise networks. Organizations running PAN-OS should prioritize patching and review their exposure of the Captive Portal to the internet, as the window between disclosure and active exploitation continues to narrow.