cbcvebase.
CVE-2026-0300
published 2026-05-06

CVE-2026-0300: A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2026-05-09
Exploited in the wild
EPSS
36.16%
98.3th percentile
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.

Affected

58 ranges· showing 25
VendorProductVersion rangeFixed in
palo_alto_networkspan-os>= 10.2.0 < 10.2.18-h610.2.18-h6
palo_alto_networkspan-os>= 11.1.0 < 11.1.1511.1.15
palo_alto_networkspan-os>= 11.2.0 < 11.2.1211.2.12
palo_alto_networkspan-os>= 12.1.0 < 12.1.712.1.7
paloaltopan-os
paloaltopanorama
paloaltoprisma_access
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os

Detection & IOCsextracted from sources · hover to see the quote

port6081
port6082
processnginx worker process
otherThreat ID 510019
versionApplications and Threats content version 9097-10022
  • Check Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal to determine if the vulnerable service is active on a firewall.
  • Hunt for evidence of post-exploitation log tampering: threat actors cleared crash kernel messages, deleted nginx crash entries and nginx crash records, and removed crash core dump files.
  • Enable Threat ID 510019 in Advanced Threat Prevention (ATP) using Applications and Threats content version 9097-10022 to block exploitation attempts.
  • Disable Response Pages in the Interface Management Profile for any L3 interface where untrusted or internet traffic can ingress as an additional mitigation.
  • Monitor for shellcode injection into nginx worker processes on PAN-OS devices as a key post-exploitation indicator.
  • Attackers used open-source tools EarthWorm and ReverseSocks5 (previously associated with China-nexus groups) for post-exploitation; hunt for these binaries on PAN-OS devices.
  • ·Vulnerability only affects PA-Series and VM-Series firewalls with the User-ID Authentication Portal (Captive Portal) enabled; Prisma Access, Cloud NGFW, and Panorama are NOT impacted.
  • ·CVSS score drops from 9.3 to 8.7 when the Authentication Portal is restricted to trusted internal IP addresses only; exposure to the internet or untrusted networks is the primary risk amplifier.
  • ·Exploitation risk is significantly higher when the Authentication Portal is exposed on ports 6081/6082 to the internet; Shodan identified 67 exposed instances on port 6081 at time of reporting.
  • ·Attackers used intermittent interactive sessions over a multi-week period and open-source tooling to stay below behavioral alerting thresholds; standard signature-based detection may be insufficient.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Red
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.