CVE-2026-0300
published 2026-05-06CVE-2026-0300: A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2026-05-09
Exploited in the wild
EPSS
36.16%
98.3th percentile
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses.
Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.
Affected
58 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | pan-os | >= 10.2.0 < 10.2.18-h6 | 10.2.18-h6 |
| palo_alto_networks | pan-os | >= 11.1.0 < 11.1.15 | 11.1.15 |
| palo_alto_networks | pan-os | >= 11.2.0 < 11.2.12 | 11.2.12 |
| palo_alto_networks | pan-os | >= 12.1.0 < 12.1.7 | 12.1.7 |
| paloalto | pan-os | — | — |
| paloalto | panorama | — | — |
| paloalto | prisma_access | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Check Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal to determine if the vulnerable service is active on a firewall. ↗
- →Hunt for evidence of post-exploitation log tampering: threat actors cleared crash kernel messages, deleted nginx crash entries and nginx crash records, and removed crash core dump files. ↗
- →Enable Threat ID 510019 in Advanced Threat Prevention (ATP) using Applications and Threats content version 9097-10022 to block exploitation attempts. ↗
- →Disable Response Pages in the Interface Management Profile for any L3 interface where untrusted or internet traffic can ingress as an additional mitigation. ↗
- →Monitor for shellcode injection into nginx worker processes on PAN-OS devices as a key post-exploitation indicator. ↗
- →Attackers used open-source tools EarthWorm and ReverseSocks5 (previously associated with China-nexus groups) for post-exploitation; hunt for these binaries on PAN-OS devices. ↗
- ·Vulnerability only affects PA-Series and VM-Series firewalls with the User-ID Authentication Portal (Captive Portal) enabled; Prisma Access, Cloud NGFW, and Panorama are NOT impacted. ↗
- ·CVSS score drops from 9.3 to 8.7 when the Authentication Portal is restricted to trusted internal IP addresses only; exposure to the internet or untrusted networks is the primary risk amplifier. ↗
- ·Exploitation risk is significantly higher when the Authentication Portal is exposed on ports 6081/6082 to the internet; Shodan identified 67 exposed instances on port 6081 at time of reporting. ↗
- ·Attackers used intermittent interactive sessions over a multi-week period and open-source tooling to stay below behavioral alerting thresholds; standard signature-based detection may be insufficient. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Red
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability
cisa·2026-05-06·CVSS 9.3
CVE-2026-0300 [CRITICAL] CWE-787 Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability
Vulnerability: Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability
Affected: Palo Alto Networks PAN-OS
Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: - Restrict User-ID Authentication Portal access to only trusted zones. - Disable User-ID Authentication Po
Palo Alto
CVE-2026-0300 PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal
vendor_paloalto·2026-05-05·CVSS 4.0
CVE-2026-0300 CWE-787 CVE-2026-0300 PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal
CVE-2026-0300 PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.
CVEs: CVE-2026-0300
Affected products: PAN-OS, Panorama, Prisma Access
VulDB
Palo Alto Cloud NGFW/PAN-OS/Prisma Access out-of-bounds write (EUVD-2026-27879)
vuldb·2026-05-06·CVSS 9.3
CVE-2026-0300 [CRITICAL] Palo Alto Cloud NGFW/PAN-OS/Prisma Access out-of-bounds write (EUVD-2026-27879)
A vulnerability, which was classified as critical, was found in Palo Alto Cloud NGFW, PAN-OS and Prisma Access. This issue affects some unknown processing. Such manipulation leads to out-of-bounds write.
This vulnerability is documented as CVE-2026-0300. The attack can be executed remotely. Additionally, an exploit exists.
GHSA
GHSA-3vfh-3cpw-2378: A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an una
ghsa_unreviewed·2026-05-06
CVE-2026-0300 [CRITICAL] CWE-787 GHSA-3vfh-3cpw-2378: A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an una
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses.
Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.
VulnCheck
Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability
vulncheck·2026·CVSS 9.3
CVE-2026-0300 [CRITICAL] CWE-787 Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability
Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability
Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
Affected: Palo Alto Networks PAN-OS
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: - Restrict User-ID Authentication Portal access to only trusted zones. - Disable User-ID Authentication Portal if not re
No detection rules found.
No public exploits indexed.
Rapid7
Critical Check Point VPN Zero-Day Exploited in the Wild (CVE-2026-50751)
blogs_rapid7·2026-06-08·CVSS 8.6
CVE-2026-50751 [HIGH] Critical Check Point VPN Zero-Day Exploited in the Wild (CVE-2026-50751)
## Overview
On June 8, 2026, Check Point published a security advisory for CVE-2026-50751 , a critical authentication bypass vulnerability affecting Check Point Remote Access VPN, Mobile Access, and Spark Firewall products. The vulnerability affects deployments configured to use the deprecated IKEv1 key exchange protocol where gateways accept legacy Remote Access clients and do not require a machine certificate for connections.
CVE-2026-50751, classified as improper authentication ( CWE-287 ), has a CVSS score of 9.3. The vulnerability stems from a logic flow weakness in how Remote Access and Mobile Access components validate certificates during IKEv1 key exchange; successful exploitation allows an unauthenticated attacker to establish a VPN session without providing valid credentials. P
Unit42
Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
blogs_unit42·2026-06-05·CVSS 7.8
CVE-2026-0257 [HIGH] Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
## Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
Andy Piazza
Unit 42
Published: June 5, 2026
High Profile Threats
Vulnerabilities
CVE-2026-0257
Vulnerability
Palo Alto Networks Unit 42 has observed active exploitation of PAN-OS vulnerability CVE-2026-0257 by an unidentified threat actor attempting to access GlobalProtect. This security flaw involves an authentication bypass in the portal and gateway components of vulnerable versions of PAN-OS ® software, which could allow unauthorized attackers to circumvent security controls and initiate VPN connections. This CVE was added to the Known Exploited Vulnerability (KEV) catalog on May 29.
No post-access behavior or lateral movement has been identified as of this time. Only a small portion of the probed devices actually es
Rapid7
Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)
blogs_rapid7·2026-05-29·CVSS 7.8
CVE-2026-0257 [HIGH] Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)
## Overview
On May 13, 2026, Palo Alto Networks published a security advisory for CVE-2026-0257, a medium severity authentication bypass affecting PAN-OS and Prisma Access when a specific configuration is present. Successful exploitation of this vulnerability allows a remote unauthenticated attacker to successfully establish a VPN connection through the GlobalProtect gateway of an affected appliance.
Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices. The earliest date for observed exploitation was May 17, 2026. As of May 29, 2026, this vulnerability has been added to the CISA KEV.
While the assigned CVSSv4 score indicates a medium severity, due to the circumstances surroundin
Rapid7
CVE-2026-0265: Authentication Bypass in Palo Alto Networks PAN-OS
blogs_rapid7·2026-05-14·CVSS 7.2
CVE-2026-0265 [HIGH] CVE-2026-0265: Authentication Bypass in Palo Alto Networks PAN-OS
## Overview
On May 13, 2026, Palo Alto Networks published a security advisory for CVE-2026-0265 , a signature verification vulnerability that facilitates authentication bypass on PAN-OS , the operating system that most Palo Alto Networks firewalls run. This vulnerability allows a remote unauthenticated attacker with network access to bypass authentication when Cloud Authentication Service (CAS) is enabled and attached to a login interface; the vulnerable configuration is non-default but common. CVE-2026-0265 affects PAN-OS on PA-Series and VM-Series firewalls, as well as Panorama (virtual and M-Series) appliances. Cloud NGFW and Prisma Access are not affected.
Palo Alto Networks assigned CVE-2026-0265 a “High” 7.2 CVSS score. The advisory states that the vulnerability’s severity scoring
Hackernews
ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories
blogs_hackernews·2026-05-14·CVSS 9.3
CVE-2026-0300 [CRITICAL] ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories
Everything is still on fire.
This week feels dumb in the worst way — bad links, weak checks, fake help desks, shady forum posts, and people turning supply chain attacks into some cursed little game for clout and cash. Half of it feels new. Half of it feels like crap we should have fixed years ago.
The mess keeps getting louder: users get tricked, boxes get popped, tools meant for normal work get used for bad stuff, and nobody seems shocked anymore. Great. Love that for us.
Anyway. Let’s get into it.
Palo Alto Networks has released the
Checkpoint
11th May – Threat Intelligence Report
blogs_checkpoint·2026-05-11
CVE-2026-4670 11th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th May, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Instructure, the US education technology company behind the Canvas learning platform, has confirmed a major data breach affecting its cloud-hosted environment. Exposed data reportedly includes student and staff records and private messages, while ShinyHunters escalated the attack by defacing hundreds of school login portals with r
Hackernews
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-6973 [CRITICAL] ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Rough Monday.
Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping st
Hackernews
PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage
blogs_hackernews·2026-05-07·CVSS 9.3
CVE-2026-0300 [CRITICAL] PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage
Palo Alto Networks has disclosed that threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as early as April 9, 2026.
The vulnerability in question is CVE-2026-0300 (CVSS score: 9.3/8.7), a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets.
While fixes are expected to be released starting May 13, 2026, customers are
Unit42
Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
blogs_unit42·2026-05-07·CVSS 9.3
CVE-2026-0300 [CRITICAL] Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
## Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
Justin Moore
Unit 42
Published: May 6, 2026
High Profile Threats
Vulnerabilities
CVE-2026-0300
EarthWorm
PAN-OS
Remote Code Execution
ReverseSocks5
Vulnerability
Zero-day
## Executive Summary
On May 6, 2026, Palo Alto Networks released a security advisory for CVE-2026-0300 , identifying a buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software. Vulnerable systems allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
We are aware of only limited exploitation of CVE-2026-0300 at this time
Bleepingcomputer
Palo Alto Networks firewall zero-day exploited for nearly a month
blogs_bleepingcomputer·2026-05-07·CVSS 9.3
CVE-2026-0300 [CRITICAL] Palo Alto Networks firewall zero-day exploited for nearly a month
## Palo Alto Networks firewall zero-day exploited for nearly a month
## Sergiu Gatlan
Palo Alto Networks warned customers that suspected state-sponsored hackers have been exploiting a critical-severity PAN-OS firewall zero-day vulnerability for nearly a month.
Tracked as CVE-2026-0300 , this remote code execution security flaw was found in the PAN-OS User-ID Authentication Portal (also known as the Captive Portal) and stems from a buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls.
"We are aware of only limited exploitation of CVE-2026-0300 at this time. Unit 42 is tracking CL-STA-1132, a cluster of likely state-sponsored threat activity exploiting CVE-2026-0300. The at
Wiz
Critical Buffer Overflow Vulnerability in PAN-OS Exploited in-the-Wild
blogs_wiz·2026-05-06·CVSS 9.8
CVE-2026-0300 [CRITICAL] Critical Buffer Overflow Vulnerability in PAN-OS Exploited in-the-Wild
A critical vulnerability (CVE-2026-0300) has been identified in Palo Alto Networks PAN-OS that allows unauthenticated attackers to achieve remote code execution (RCE) with root privileges. The issue affects the User-ID Authentication Portal (Captive Portal) and is actively exploited in limited cases, particularly when exposed to untrusted networks or the public internet.
## What is CVE-2026-0300?
The vulnerability is a buffer overflow in the User-ID Authentication Portal service. By sending specially crafted network packets, an unauthenticated attacker can trigger an out-of-bounds write condition, ultimately leading to arbitrary code execution with root privileges on affected devices. The attack requires no authentication, user interaction, or special conditions beyond network access.
E
Hackernews
Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution
blogs_hackernews·2026-05-06·CVSS 9.3
CVE-2026-0300 [CRITICAL] Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution
Palo Alto Networks has released an advisory warning that a critical buffer overflow vulnerability in its PAN-OS software has been exploited in the wild.
The vulnerability, tracked as CVE-2026-0300 , has been described as a case of unauthenticated remote code execution. It carries a CVSS score of 9.3 if the User-ID Authentication Portal is configured to enable access from the internet or any untrusted network. The severity comes down to 8.7 if access to the portal is restricted to only trusted internal IP addresses.
"A buffer overflow vulnerability
Bleepingcomputer
Palo Alto Networks warns of firewall RCE zero-day exploited in attacks
blogs_bleepingcomputer·2026-05-06·CVSS 9.3
CVE-2026-0300 [CRITICAL] Palo Alto Networks warns of firewall RCE zero-day exploited in attacks
## Palo Alto Networks warns of firewall RCE zero-day exploited in attacks
## Sergiu Gatlan
Palo Alto Networks warned customers today that a critical-severity unpatched vulnerability in the PAN-OS User-ID Authentication Portal is being exploited in attacks.
Also known as the Captive Portal, the User-ID Authentication Portal is a PAN-OS security feature that authenticates users whose identities cannot be automatically mapped by the firewall.
Tracked as CVE-2026-0300, this zero-day bug stems from a buffer overflow weakness that allows unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls via specially crafted packets.
"Limited exploitation has been observed targeting Palo Alto Networks User-ID™ Authentication Portal
Rapid7
Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300)
blogs_rapid7·2026-05-06·CVSS 9.3
CVE-2026-0300 [CRITICAL] Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300)
## Overview
On May 6, 2026, Palo Alto Networks published a security advisory for CVE-2026-0300 , a critical unauthenticated buffer overflow vulnerability affecting PAN-OS PA-Series and VM-Series firewall appliances. Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this vulnerability. The vulnerability carries a CVSSv4 score of 9.3 and has been confirmed as exploited in the wild by the vendor.
CVE-2026-0300 is a buffer overflow ( CWE-787 ) in the User-ID™ Authentication Portal (also known as Captive Portal), a non-default PAN-OS feature used to map IP addresses to usernames. An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted packets to a device with the Authentication Portal enabled, achieving arbitrary code execution with
2026-05-06
Published
2026-05-06
Added to CISA KEV
Exploited in the wild