Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
CVE-2026-0300: Unauthenticated Buffer Overflow Leading to Root RCE in PAN-OS User-ID Authentication Portal
Posted on: 25 May 2026 Author: Foresiet
Introduction
CVE-2026-0300 is a critical buffer overflow vulnerability in the User-ID Authentication Portal service, also known as Captive Portal, within PAN-OS. It allows unauthenticated remote attackers to send specially crafted packets and achieve arbitrary code execution with root privileges on affected PA-Series and VM-Series firewalls. The flaw stems from improper handling of input data in the authentication portal component, enabling out-of-bounds writes that corrupt memory and grant full system control. Actively exploited in the wild since early May 2026, this issue exposes firewalls with the portal enabled and accessible from untrusted networks. This analysis examines the vulnerability mechanics, exploitation patterns, forensic indicators, and protective steps observed up to late May 2026.
Rated CVSS 9.3 (Critical), CVE-2026-0300 (CWE-787: Out-of-Bounds Write) permits unauthenticated remote code execution as root on vulnerable PAN-OS versions. Exploitation requires only network reachability to the portal service—no credentials or user interaction needed. Attacks involve malformed packets that overflow buffers during authentication handling, leading to shellcode execution in kernel or privileged context. Active campaigns target exposed firewalls for persistence, data exfiltration, and lateral movement. Patches began rolling out around mid-May 2026, but interim mitigations focus on disabling the portal or restricting access. The vulnerability affects specific PAN-OS releases on hardware and virtual appliances while sparing other management components.
The Vulnerability Works
The User-ID Authentication Portal handles user identification for traffic where IP-to-user mapping is unavailable. It processes HTTP/HTTPS requests and related packets for authentication flows. CVE-2026-0300 arises in the packet parsing logic, where insufficient bounds checking on input fields allows oversized or malformed data to overflow stack or heap buffers.
Attackers craft packets with carefully tuned payloads—often targeting fields in authentication requests or captive portal redirects. The overflow overwrites adjacent memory structures, including return addresses or function pointers, redirecting execution to attacker-controlled code. Successful exploitation yields a root shell on the firewall, enabling full command execution, configuration changes, and installation of backdoors.
Example of a simplified trigger concept (illustrative packet crafting in Python for research/testing environments):

In practice, real exploits refine the offset, ROP chains, and shellcode to bypass mitigations like ASLR or stack protections present in PAN-OS. Post-exploitation, attackers often establish persistence through modified system services or injected modules while clearing relevant logs.
Observed logs during exploitation may include anomalies in authentication service entries, such as unexpected crashes followed by restarts or unusual process executions under high privileges.
Exploitation in the Wild (as of May 2026)
Exploitation emerged shortly before public disclosure, with attackers scanning for exposed Captive Portal instances. Successful compromises grant immediate root access, used for dumping configurations, installing miners, or pivoting into internal networks. Campaigns remain targeted toward organizations with internet-facing firewalls running vulnerable PAN-OS builds where the User-ID portal is active. No mass worm-like propagation has dominated, but automated tools for packet crafting circulate in underground channels. Firewalls without the portal enabled or properly segmented remain unaffected.
Indicators of Compromise (IOCs)
Detection relies on network and system artifacts. Monitor for anomalous traffic to portal ports (typically 443 or configured redirects) containing oversized or irregular authentication payloads. Firewall logs may show repeated failed or malformed requests preceding suspicious activity.
Key IOC patterns include:
- Sudden root-level process spawns or unexpected daemon restarts in system logs.
- Network connections from unknown sources to the authentication service with high packet variance.
- Modified configuration files or new user accounts post-compromise.
- Memory corruption indicators, such as service crashes in portal-related components.
Sample log excerpt for suspicious activity:

Check for unauthorized SSH sessions, unexpected binaries in /var or /opt directories, and deviations in running processes. Packet captures revealing repeated long User-Agent strings or crafted headers serve as strong network indicators.
Mitigation and Best Practices
Apply available PAN-OS patches immediately upon release. For unpatched systems, disable the User-ID Authentication Portal entirely if not required, or restrict access via strict ACLs allowing only trusted IP ranges. Segment management interfaces from the internet and enable comprehensive logging for the authentication service. Regular integrity checks on system files and monitoring for anomalous root activity enhance detection. In compromised environments, isolate the device, perform full forensic imaging, and rebuild from trusted sources.
Conclusion
CVE-2026-0300 highlights the severe risks of exposed authentication services in perimeter security appliances, where a single buffer overflow can lead to complete device takeover. Its rapid exploitation in May 2026 underscores the need for prompt patching and hardened configurations. Organizations must prioritize visibility into portal usage and enforce least-privilege network exposures to limit the impact of similar flaws in the future. Continuous monitoring and proactive service management remain essential for maintaining firewall integrity against these high-severity threats.
About us!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.