Flaw Overview: Captive Portal Buffer Overflow
Palo Alto’s advisory gauge highlights the flaw’s extreme severity: CVSS 9.3 and “Highest” urgency. The issue is a buffer-overflow in the PAN‑OS User‑ID Authentication Portal (captive portal). In other words, an unauthenticated attacker can send a specially crafted packet to the captive portal service and gain root code execution on the firewall.
When this portal is exposed to the internet, the flaw is rated CVSS 9.3, versus 8.7 if limited to an internal network. In practice, this means any publicly accessible captive portal creates an urgent zero-day risk.
Affected Versions and Configurations
This vulnerability only affects PA‑Series and VM‑Series firewalls that have the User‑ID captive portal feature enabled. In practice, most unpatched PAN‑OS releases in the 10.2, 11.1, 11.2 and 12.1 branches are vulnerable. Specifically, all builds before the pending security updates are exploitable:
- PAN‑OS 12.1.x: Versions earlier than 12.1.4‑h5 or 12.1.7 (patches due May 13 and 28).
- PAN‑OS 11.2.x: Older 11.2 releases (all builds before the upcoming 11.2.12 update).
- PAN‑OS 11.1.x: Older 11.1 releases (up to 11.1.15).
- PAN‑OS 10.2.x: Legacy 10.2 branch (all builds before the next maintenance release).
Platforms like Prisma Access, Cloud NGFW and Panorama are not impacted only standalone firewalls with the captive portal enabled. Administrators should verify if the portal is turned on under Device > User Identification > Authentication Portal Settings. If it is not needed, it should be disabled.
Buffer Overflow.
• PAN-OS 11.2.x < 11.2.12
• PAN-OS 11.1.x < 11.1.15
• PAN-OS 10.2.x (Legacy builds)
Active Exploitation and Risk Profile
This flaw is already being targeted in the wild. Palo Alto reports “limited exploitation” against portals exposed to the internet. Security analysts note the vulnerability is classified as “under active exploitation” and has no special requirements. Attackers can exploit it without credentials or user interaction the exploit is fully automatable for wide scanning. The attack vector is network-only, complexity is low, and no authentication is needed.
Attack Features:
- Network-based RCE: The attacker sends specially crafted packets to the captive portal. The user’s interaction or involvement is not necessary here.
- Scalable & No Authorization: As no authentication is necessary for the attack, it may easily scale, becoming a mass-scale exploit.
- Reported in the Wild: According to Palo Alto, some attacks have been executed successfully against public-facing portals. Limited yet proven exploitation is often a sign of the highest level of skills or even state-sponsored activity.
From an attacker’s perspective, gaining root access to a firewall gives many opportunities. Here are some examples:
- Firewall Compromise: Gaining root-level access implies total control over the device. The malicious actor will be able to manipulate firewall policies or mirror encrypted traffic on the port.
- Breaching the Network Infrastructure: Since Palo Alto’s devices are deployed to protect enterprise networks from various attacks and threats, compromising such a firewall would allow a malicious actor to gain access to other machines or launch attacks within the infrastructure.
Such an RCE vulnerability implies that the attacker gains total control over target devices, allowing for breach, altering network policies or disrupting its operation completely.
Mitigation and Urgent Measures
Patches are due mid-May, and action needs to be taken at once. The first patch from Palo Alto will be rolled out on May 13, 2026, followed by other updates by May 28. In the meantime, the following steps are advised:
- Limit Portal Access: Adjust the configuration for the User-ID captive portal so that only authorized internal IP addresses have access. This significantly reduces the risk (from CVSS 9.3 to 8.7).
- Turn Off If Not Required: Should the captive portal not be needed, turn it off until it is patched. This ensures that it will no longer be exploitable.
- Deploy Updates Immediately: Upon release of the patched PAN-OS builds (mid/late May 2026), implement them promptly, eliminating any possibility of a security breach.
These measures are highly important. Furthermore, companies are advised to review their firewall configurations immediately. All authentication portals accessible beyond the LAN need to be considered a matter of utmost urgency, since there are confirmed exploits out in the wild.
Conclusion: When the Firewall Becomes the Entry Point
CVE-2026-0300 exposes a hard truth about perimeter security. The devices built to enforce trust can become the fastest path to compromise when their own management and authentication services are exposed. In this case, a buffer overflow in the PAN-OS User-ID captive portal can give an unauthenticated attacker root-level code execution on the firewall itself.
Why This Threat Matters
This flaw is dangerous because it targets the control point that decides what traffic is allowed, blocked, inspected, or trusted.
- The attack requires no credentials or user interaction.
- Public-facing captive portals can be scanned and exploited at scale.
- Root access to the firewall can enable policy manipulation, traffic mirroring, disruption, and deeper network intrusion.
Why Organizations Stay Exposed
Firewall services are often treated as hardened by default, but exposure changes the risk completely. If the captive portal is reachable from the internet and the affected PAN-OS version is unpatched, the firewall itself becomes the attack surface.
Where Xcitium Changes the Outcome
For organizations using Xcitium Vulnerability Assessment, this exposure should be visible before attackers find it.
- Internet-facing captive portals can be identified and prioritized for urgent review.
- Vulnerable PAN-OS versions can be surfaced for immediate remediation.
- Risky configurations, such as unnecessary User-ID Authentication Portal exposure, become actionable before exploitation begins.
If you have Xcitium in place, this attack does not succeed the same way, because the exposed path is identified, reduced, and remediated before root access is possible.
Secure the Control Plane Before It Is Turned Against You
Patch as soon as fixed PAN-OS builds are available, disable the captive portal if it is not required, and restrict access to authorized internal IP ranges only. A firewall is only a defense if its own control surface is continuously verified.
