Executive Summary
In May 2026 Palo Alto Networks announced the discovery of a critical buffer‑overflow vulnerability (CVE‑2026‑0300) in the User‑ID Authentication Portal, also referred to as the Captive Portal, of its PAN‑OS firewall software. The flaw allows an unauthenticated attacker to send specially crafted packets to a vulnerable device and execute arbitrary code with root privileges on PA‑Series and VM‑Series firewalls. The exploit does not require any credentials or prior access, and it can be triggered from an external network if the portal is exposed to the internet or untrusted zones.
Attack Narrative
Unit 42 has tracked a cluster of activity named CL‑STA‑1132 that appears to be state‑sponsored. The attackers first attempted exploitation on April 9, 2026, but did not succeed. A week later they achieved remote code execution, injected shellcode into an nginx worker process, and immediately began log‑cleaning operations to hide their presence. Four days after the initial compromise the threat actors deployed publicly available tunneling tools – EarthWorm and ReverseSocks5 – and performed Active Directory enumeration using credentials that were obtained from the firewall’s service account. They systematically destroyed audit trails, removed SUID binaries, and conducted a SAML flood on April 29, 2026, which allowed a second device to become active and be compromised in the same manner.
Technical Details
The vulnerability resides in the way the Captive Portal parses HTTP requests. A crafted packet can overflow a buffer, overwrite a return address, and redirect execution to injected shellcode. The flaw is independent of any authentication mechanism, which is why the attack surface is significant when the portal is reachable from untrusted networks. The affected firmware versions are all PAN‑OS releases prior to 11.1, but the issue can also persist in later releases if the portal is not properly restricted.
Detection Indicators
- Unexpected outbound connections from a firewall to external IPs on non‑standard ports.
- Log entries showing removal of nginx crash logs or core dumps.
- Presence of EarthWorm or ReverseSocks5 binaries on the host.
- Unusual SAML requests or flood patterns targeting the firewall.
- Active Directory enumeration queries originating from a firewall using service‑account credentials.
Mitigation & Recommendations
- Restrict access to the User‑ID Authentication Portal to trusted internal zones only; disable the portal on interfaces that face the internet or untrusted networks.
- Enable Threat ID 510019 in Advanced Threat Prevention for PAN‑OS 11.1 or later; this blocks known exploitation payloads.
- Apply the latest PAN‑OS firmware update that patches CVE‑2026‑0300 as soon as it is available.
- Configure a firewall rule to drop all inbound traffic to port 80/443 on the interface that serves the captive portal, if the service is not required.
- Monitor for the presence of EarthWorm and ReverseSocks5; consider implementing a host‑based intrusion detection solution to alert on the execution of these utilities.
- Perform a comprehensive audit of firewall logs to ensure no evidence of compromise remains.
Proactive Measures
Palo Alto Networks recommends that customers use Cortex Xpanse to identify any exposed User‑ID portals and to receive real‑time alerts if a vulnerable instance is discovered. Engaging the Unit 42 Incident Response team can help organizations conduct a rapid containment assessment and implement layered defenses. Security teams should also review their internal network segmentation policies, ensuring that critical edge devices are isolated from public interfaces and that only privileged users can manage them.
Conclusion
The CVE‑2026‑0300 exploitation demonstrates how a single, zero‑day flaw in an edge‑device service can provide attackers with full administrative control. By combining a low‑profile, uncredentialed vector with open‑source tunneling tools, the threat actors were able to maintain persistence while evading detection. Organizations that rely on PAN‑OS firewalls must now treat the Captive Portal as a high‑risk surface and enforce strict access controls, timely patching, and continuous monitoring to safeguard their network perimeter.

