CVE-2026-0300

Name of the Vulnerable Software and Affected Versions Palo Alto Networks PAN-OS versions prior to May 13, 2026

Description A buffer overflow (out-of-bounds write) exists in the User-ID™ Authentication Portal (also known as Captive Portal) service, a non-default feature used to map IP addresses to usernames. This allows an unauthenticated remote attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets. The flaw can be exploited to gain full control over network traffic, intercept or modify connections, and install backdoors.

Real-world exploitation has been observed since April 9, 2026, by a suspected state-sponsored threat cluster tracked as CL-STA-1132. Attackers achieved remote code execution by injecting shellcode into the worker nginx process. Post-exploitation activities included using tunneling tools such as EarthWorm and ReverseSocks5 to maintain persistence, performing SAML floods for privilege escalation, and enumerating Active Directory credentials. To evade detection, attackers systematically deleted nginx crash entries, core dump files, and crash kernel messages.

Approximately 5,800 VM-Series firewalls (primarily in Asia and North America) and up to 135,755 internet-facing PAN-OS instances have been identified as potentially exposed. The vulnerability is associated with the SetUserID function.

Recommendations Update to the security versions released on May 13, 2026. As a temporary workaround, restrict access to the User-ID™ Authentication Portal to only trusted internal IP addresses or internal zones. Disable the User-ID™ Authentication Portal entirely if it is not required.