CVE-2026-0300 Palo Alto PAN-OS: Unauth Root RCE Already in CISA KEV

On May 6, 2026, Palo Alto Networks released a critical advisory for CVE-2026-0300 (CVSS 9.8), a buffer overflow in the User-ID Authentication Portal (also known as Captive Portal) service of PAN-OS. Successful exploitation lets an unauthenticated attacker execute arbitrary code as root on PA-Series and VM-Series firewalls by simply sending crafted packets. The vulnerability was added to the CISA KEV catalog the same day — clear evidence that exploitation is already observed in the wild or considered imminent.

If you expose the Authentication Portal to the internet, or even to partially trusted network segments, treat your firewalls as potentially compromised until the patch is applied.

Technical Details

Vulnerable component

The User-ID Authentication Portal is how PAN-OS authenticates users before applying network policy (IP→User mapping). It can be a web portal where users enter credentials, or a transparent integration with Kerberos/NTLM.

A parsing function in the service handling packets received by the portal suffers from a buffer overflow: an unbounded input string overwrites the stack, allowing an attacker to hijack execution flow.

Characteristics

Why the 9.8 score?

PAN-OS runs as root on the appliances. An unauthenticated RCE gives full control over the firewall — and by extension over every packet it inspects.

Affected Products and Versions

Check your exact version immediately via the WebUI (Dashboard → General Information → Software Version) or via CLI:

show system info | match sw-version

Exploitation and Impact

Exploitation conditions

The attacker needs network reach to the Authentication Portal. Depending on your configuration:

• Worst case: portal exposed on an interface reachable from the internet (common when GlobalProtect SSL VPN combines with Captive Portal)
• Intermediate case: portal exposed on internal network segments (employees, contractors, BYOD)
• Reduced case: portal reachable only from trusted internal IPs, restricted per official best practices

Post-compromise impact

A root RCE on a PAN-OS firewall gives the attacker:

• Full visibility into every TLS-decrypted flow (SSL forward proxy)
• Ability to inject malicious rules (allow C2, disable IPS for specific hosts)
• Pivot between security zones (move from DMZ to LAN unconstrained)
• Log tampering (erase attack traces, disable SIEM forwarding)
• Persistent presence via firmware or configuration modification

CISA KEV listing

The same-day KEV addition on 2026-05-06 indicates that active exploitation has been observed by CISA or judged highly likely. The remediation deadline for US federal agencies (FCEB) is exceptionally short: 2026-05-09, three days after publication.

Detection and IOCs

PAN-OS logs to monitor

# CLI: show recent system logs
show log system direction equal backward

Typical indicators of an exploitation attempt:

• Repeated crashes of the user-id process or Authentication Portal daemon (with core file generation)
• Unexpected reboots of the dataplane
• Unusual files in /tmp/, /var/tmp/, /opt/pancfg/
• Changes in /opt/pancfg/mgmt/users (admin account creation)

Network traces

• Traffic to Authentication Portal ports (default TCP 6080/6081/6082) from atypical external IPs
• Abnormally large or malformed packets to those ports
• Outbound connections from the firewall to unknown destinations (potential C2)

Suricata rule

alert tcp any any -> $PANOS_PORTAL_IPS [6080,6081,6082] \
  (msg:"Possible PAN-OS CVE-2026-0300 exploitation attempt — oversized payload"; \
   dsize:>2048; threshold:type both,track by_src,count 5,seconds 60; \
   sid:2026000300; rev:1;)

Configuration audit

# List configured administrators
show config running mgt-config users

# List active admin sessions
show admins

Mitigation and Patch

Priority action: apply the official patch

Log into the Palo Alto Networks support portal and download the fixed release for your branch. Generic procedure:

# Via WebUI
Device → Software → Download → [patched version] → Install → Reboot

# Via CLI
request system software download version <patched-version>
request system software install version <patched-version>
request restart system

Official workaround (if patching is delayed)

The Palo Alto advisory recommends the following — drastically reduces but does not eliminate risk:

Restrict access to the User-ID Authentication Portal to trusted internal IPs only, following the official best practice guidelines.

To do so:

1. Identify the zone and interface hosting the portal
2. Create or amend the applicable security policy to limit source-address to internal subnets
3. If possible, disable the portal entirely if you don't actively use it

# Check whether the portal is enabled
show config running deviceconfig setting captive-portal

Long-term hardening post-patch

• Enable Strict Source Authentication on the Authentication Portal
• Audit every policy rule that relies on User-ID mappings — a forged post-exploitation mapping can bypass filtering
• Rotate credentials of all PAN-OS admin accounts and LDAP/SAML integrations
• Verify configuration integrity by comparing to your last reliable backup

Why Continuous Monitoring of Firewalls Matters

Perimeter firewalls are among the most coveted targets — root RCE on PAN-OS hands attackers the keys to decrypted traffic and the security configuration itself. The gap between advisory publication and KEV addition here is just a few hours: without automated monitoring, your firewalls can be compromised before you've even scheduled the maintenance window.

With cveo.tech, inventory your Palo Alto, Fortinet, Cisco, and other firewalls and get automatic email alerts whenever a critical CVE — especially one added to the CISA KEV — targets one of your exact versions. So you patch before the exploit lands.