8 Critical Facts About the PAN-OS Captive Portal Zero-Day Vulnerability (CVE-2026-0300)
In early 2026, cybersecurity researchers at Unit 42 uncovered a dangerous zero-day vulnerability in Palo Alto Networks’ PAN-OS operating system. Tracked as CVE-2026-0300, this flaw allows unauthenticated remote code execution via a buffer overflow in the User-ID Authentication Portal (commonly known as the Captive Portal). If left unpatched, attackers can take full control of affected firewalls without any credentials. Below are eight key facts you need to understand this threat and how to protect your network.
1. What Is CVE-2026-0300?
CVE-2026-0300 is a buffer overflow vulnerability residing in the PAN-OS User-ID Authentication Portal component. This portal is used for captive portal authentication – a feature that prompts users to log in before granting network access. The flaw allows an unauthenticated attacker to send specially crafted network traffic to the firewall, overflowing a memory buffer and executing arbitrary code with system privileges.
2. How Does the Exploit Work?
Attackers exploit this vulnerability by sending a malformed packet to the captive portal service running on TCP port 8080 or 8888 (default ports). The packet triggers a stack-based buffer overflow, corrupting adjacent memory. Because the buffer is not properly bounded, the attacker can inject malicious payloads that overwrite the program's control flow. Since the service runs with root privileges, the payload executes with full system access, bypassing authentication entirely.
3. Which Systems Are Affected?
This vulnerability affects all Palo Alto Networks firewalls running PAN-OS with the User-ID Authentication Portal enabled. The exact version range has not been publicly disclosed, but early Unit 42 analysis suggests it impacts PAN-OS 10.x, 11.x, and possibly earlier releases. Organizations using captive portal functionality – commonly found in guest Wi‑Fi networks or employee BYOD portals – are at highest risk.
4. Why Is It Considered Critical?
The severity of CVE-2026-0300 is underscored by its CVSS score of 10.0 – the highest possible. Three factors contribute:
- Remote exploitation – no physical access required
- No authentication needed – attacker does not need valid credentials
- Full compromise – code executes with root privileges, allowing installation of backdoors, data exfiltration, and lateral movement
5. Who Discovered the Vulnerability?
The flaw was discovered by Unit 42, Palo Alto Networks’ threat intelligence team, during routine hunting for zero-day exploits. Unit 42 researchers identified malicious traffic patterns targeting captive portal services and reverse‑engineered the attack, leading to the discovery of CVE-2026-0300. Their findings were responsibly disclosed to Palo Alto Networks, prompting an emergency security advisory.
6. What Are the Real‑World Risks?
Successful exploitation can lead to complete firewall takeover, enabling attackers to:
- Disable security policies and logging
- Decrypt and inspect VPN traffic
- Deploy ransomware or persistent implants
- Use the firewall as a pivot point into the internal network
7. How to Mitigate the Threat?
Palo Alto Networks has released hotfixes for affected versions. The immediate recommended action is to apply the security patch. If patching is not possible, disable the User-ID Authentication Portal if it is not required – go to Device > User Identification > Authentication Portal and uncheck “Enable Authentication Portal”. Additionally, restrict access to captive portal services from untrusted networks using ACLs or internal firewall rules.
8. How Can You Detect Exploitation?
Monitor system logs for unusual traffic spikes on captive portal ports (8080/8888) or repeated malformed packets. Look for buffer overflow triggers such as crashes or restarts of the useridd process. Unit 42 also recommends enabling threat logging and correlating with their published indicators of compromise (IOCs). Review firewall CPU and memory usage for unexplained spikes, as exploitation often leaves visible system anomalies.
Conclusion
CVE-2026-0300 is a dangerous zero-day that demands immediate attention. By understanding its mechanism, affected systems, and mitigation steps, security teams can reduce exposure before attackers exploit it at scale. Apply patches, disable unnecessary services, and remain vigilant with log monitoring. As always, proactive defense is your strongest ally against remote code execution vulnerabilities in perimeter devices.