CVE-2026-0300

Name of the Vulnerable Software and Affected Versions PAN-OS versions prior to 10.2.18-h6 PAN-OS versions prior to 11.1.15 PAN-OS versions prior to 11.2.12 PAN-OS versions prior to 12.1.7

Description An out-of-bounds write buffer overflow exists in the User-ID Authentication Portal (also known as Captive Portal) service of PAN-OS. This flaw allows an unauthenticated remote attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets. The issue is triggered when the portal is enabled and reachable from untrusted networks or the public internet. Approximately 5,800 VM-Series firewalls have been identified as exposed globally, with high concentrations in Asia and North America.

Real-world exploitation has been confirmed, including activity by a suspected state-sponsored threat group tracked as CL-STA-1132 since at least April 9, 2026. Attackers have used this flaw to achieve remote code execution by injecting shellcode into the worker nginx process. Post-exploitation activities included deploying tunneling tools such as EarthWorm and ReverseSocks5, conducting SAML floods for lateral movement, and systematically deleting crash kernel messages and nginx records to evade detection.

Recommendations Update PAN-OS to versions 10.2.18-h6, 11.1.15, 11.2.12, or 12.1.7 respectively. Restrict access to the User-ID Authentication Portal to trusted internal IP addresses only. Disable the User-ID Authentication Portal service entirely if it is not required.