Threat Insight
Active Exploitation of PAN‑OS Authentication Portal RCE
Palo Alto Networks has disclosed active exploitation targeting a critical remote code execution (RCE) vulnerability in PAN‑OS, tracked as CVE‑2026‑0300 [1]. The flaw affects the User‑ID Authentication Portal service and allows an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets [2].
CVE‑2026‑0300 is a buffer overflow vulnerability in the PAN‑OS User‑ID Authentication Portal service. Successful exploitation enables unauthenticated remote code execution with root-level privileges on affected devices. According to Palo Alto Networks Unit 42, exploitation involves injecting shellcode into an nginx worker process running on the PAN‑OS appliance[2].
You are only affected if you are running the following configuration[3]:
- User-ID Authentication Portal configured in the User-ID Authentication Portal Settings page. You can verify the configuration by going to Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal (applies to both transparent and redirect modes) and
- An interface management profile with response pages enabled and associated with an external/internet-accessible interface. You can verify the configuration by going to Network > Interface > Select the interface > Advanced Tab > Create Management Interface Profile
CVE
CVE-2026-0300
Affected Products
PAN-OS 12.1 – < 12.1.4-h5, < 12.1.7
PAN-OS 11.2 – < 11.2.4-h17, < 11.2.7-h13, < 11.2.10-h6, < 11.2.12
PAN-OS 11.1 – < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15
PAN-OS 10.2 – < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6
Exploitation
Palo Alto Networks observed unsuccessful exploitation attempts starting April 9, 2026. Approximately one week later, threat actors were able to successfully achieve remote code execution and inject shellcode into a vulnerable device. The activity has been attributed to a suspected state‑sponsored threat cluster designated CL‑STA‑1132[2].
Recommended Actions
Palo Alto are currently working on publishing updates that resolves this vulnerability, estimated times of arrival can be found here[3].
In the meantime, Truesec recommends that you follow the vendors advice for mitigation[3]:
- Restrict User-ID Authentication Portal access to only trusted zones and in addition, disable Response Pages in the Interface Management Profile attached to every L3 interface in any zone where untrusted/internet traffic can ingress. Keep Response Pages enabled only on interfaces in trust/internal zones where legitimate users’ browsers ingress.
- Disable User-ID Authentication Portal if not required.
References
[1] https://unit42.paloaltonetworks.com/captive-portal-zero-day/
[2] https://thehackernews.com/2026/05/pan-os-rce-exploit-under-active-use.html
[3] https://security.paloaltonetworks.com/CVE-2026-0300
Stay ahead with cyber insights
Newsletter
Stay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and industry news directly to your inbox. Join our community of professionals and stay informed about emerging threats, best practices, and exclusive updates from Truesec.
Your current browser privacy settings may be preventing this form from loading properly. To continue, please allow cookies/tracking for this site or temporarily disable strict privacy protection, then refresh the page.
If you’re still experiencing issues, please contact us at hello@truesec.com
Latest Insights
FortiNet SSO Vulnerability CVE-2025-59718 and CVE-2025-59719 Leading to Full System Compromise
Critical Vulnerabilities in Ivanti Sentry Allows Code Execution as Root (CVE-2026-10520 & CVE-2026-10523)
