SecurityPalo Alto Networks today published its advisory and Unit 42 writeup for CVE-2026-0300, a CVSS 9.3 buffer-overflow vulnerability in the PAN-OS User-ID Authentication Portal (the Captive Portal) on PA-Series and VM-Series firewalls. The flaw permits unauthenticated remote code execution with root privileges via crafted packets and is under active exploitation by a likely state-aligned cluster Unit 42 tracks as CL-STA-1132. First fixed builds drop May 13, with the remaining hotfix wave on May 28. Cloud NGFW, Prisma Access, and Panorama are not affected.
This is a same-day mitigation event for any environment where the Captive Portal is reachable from the internet or other untrusted networks. The PSIRT urgency rating is HIGHEST, the exploit maturity is ATTACKED, and the most accessible workaround is fully within an admin’s control before the patch ships.
What’s Actually Vulnerable
The bug lives in the User-ID Authentication Portal, the component that intercepts unauthenticated user traffic and presents a sign-in page so PAN-OS can map a session to an identity. Because the portal exists to greet untrusted users, restricting its exposure is a configuration choice rather than a default. Two conditions have to hold for a firewall to be exposed:
- The User-ID Authentication Portal is enabled (Device > User Identification > Authentication Portal Settings).
- An interface management profile with response pages enabled is bound to an interface that accepts internet or untrusted traffic.
Where both are true, an unauthenticated attacker on the network can send specially crafted packets that overflow a buffer in the portal service and execute code as root. CWE-787, AV:N, AC:L, PR:N, UI:N. Automatable: yes.
What the Attackers Are Doing With It
Unit 42’s writeup reconstructs CL-STA-1132’s playbook from telemetry. First exploitation attempts hit on April 9 and failed. A week later the cluster succeeded, gaining root via Nginx worker shellcode injection. Post-compromise behavior is the part defenders should pay attention to:
- Immediate log cleanup: kernel crash messages, Nginx crash entries and records, and crash core dump files were deleted to suppress detection signal.
- Four days later, the operators returned with root-level tooling and used the firewall’s own service-account credentials to enumerate Active Directory, specifically the domain root and DomainDnsZones.
- Subsequent forensic counter-measures: ptrace injection evidence wiped from the audit log, the SUID privilege escalation binary deleted.
The toolset is Earthworm and ReverseSocks5, both open-source and both heavily favored by Chinese APT clusters including Volt Typhoon and APT41. Palo Alto stops short of country attribution in the advisory; the tradecraft is consistent with Chinese state-aligned operators, including the discipline of staying below behavioral-detection thresholds with intermittent, interactive sessions over weeks rather than burst activity.
What This Continues
This is the same edge-device pre-positioning pattern that has defined Volt Typhoon, Salt Typhoon, and adjacent clusters for two years. Firewalls, VPN concentrators, and identity-adjacent services that sit outside most enterprise EDR coverage are the ingress of choice, and the post-compromise objective is rarely the device itself; it is the service-account trust the device carries into the directory and the broader network. The AD enumeration step in this campaign is the giveaway. The firewall was the foothold. Active Directory was the target.
It also continues the run of high-severity authentication-surface flaws Security Unlocked has been tracking. The April 26 alert, Three Critical Exploits Hit Management Planes and Endpoints, covered FortiClient EMS, Adobe Reader, and nginx-ui in the same week. CVE-2026-0300 is a different attack surface (a user-facing portal rather than a management console), but the strategic logic is identical: target the trust-positioned services that organizations must expose to function, and the credentials they hold will pay off downstream.
What to Do Today
The PSIRT advisory is the authoritative source; this is the operational summary.
- Determine exposure first. Confirm whether the User-ID Authentication Portal is enabled and whether any interface management profile with response pages is bound to an internet-accessible interface. Both conditions must be true to be vulnerable.
- If the portal is not in use, disable it. This eliminates the attack surface entirely and is the cleanest mitigation.
- If the portal is in use, restrict it to trusted zones. Disable response pages in interface management profiles attached to any L3 interface where untrusted traffic can ingress. Keep response pages enabled only on interfaces in trusted zones where legitimate users’ browsers actually originate. Palo Alto’s Live Community guide walks the steps; this drops CVSS to 8.7 and removes internet exposure.
- Threat Prevention subscribers can block on the wire. Enable Threat ID 510019 from Applications and Threats content version 9097-10022. PAN-OS 11.1 or later is required for the decoder.
- Hunt for the post-compromise pattern, not just the exploit. Check audit logs for evidence of crash-log cleanup, Nginx worker process anomalies, ptrace-related entries that subsequently disappeared, and any AD enumeration sourced from firewall service accounts. CL-STA-1132’s tradecraft prioritizes log destruction, so absence of expected entries can itself be a signal.
- Rotate firewall service-account credentials with Active Directory reach. If the firewall has been exposed and CL-STA-1132’s playbook has run, those credentials are the pivot. Treat them as compromised pending forensic validation.
- Pre-stage the patch deployment. First fixed builds across the affected version trains land May 13; the remaining hotfix wave lands May 28. The full version table is in the PSIRT advisory. Queue the change windows now.
The SecurityWeek summary is here, and Unit 42’s technical breakdown is here.