PAN-OS unauth RCE exploited in the wild (CVE-2026-0300) [PoC]
CVE-2026-0300
CVE-2026-0300: PAN-OS Captive Portal buffer overflow allows unauthenticated RCE as root. Actively exploited. CISA KEV. Restrict access to trusted IPs per KB.
Actively exploited in the wild - CVE-2026-0300 is a critical (CVSS v4 9.3) buffer overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (Captive Portal) that grants unauthenticated attackers remote code execution as root on PA-Series and VM-Series firewalls. CISA has added this CVE to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation.
Overview
CVE-2026-0300 is a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software. An unauthenticated attacker can trigger this flaw by sending specially crafted network packets to the service, leading to arbitrary code execution with root privileges on the affected firewall appliance.
The vulnerability affects PA-Series and VM-Series firewalls running vulnerable PAN-OS versions. Prisma Access, Cloud NGFW, and Panorama appliances are not impacted.
Palo Alto Networks rated this CVE 9.3 (CRITICAL) on the CVSS v4 scale. NIST is currently undergoing analysis and has not yet published a v3.x score, but the vendor v4 score and CISA KEV listing both confirm the severity. The risk is significantly reduced if administrators follow Palo Alto Networks best practice guidelines to restrict access to the User-ID Authentication Portal to only trusted internal IP addresses.
Impact
A successful exploit allows an unauthenticated attacker to execute arbitrary code with root privileges on the target firewall. This enables the attacker to:
- Gain full administrative control of the firewall
- Modify firewall rules and security policies
- Intercept or redirect network traffic
- Deploy persistent backdoors or malware
- Use the compromised firewall as a pivot point into the internal network
Remediation and Mitigation
Immediate Action: Restrict access to the User-ID Authentication Portal to only trusted internal IP addresses per Palo Alto Networks best practice guidelines: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail
Vendor Patch: Palo Alto Networks is expected to release security patches for affected PAN-OS versions. Monitor the vendor advisory page for updates.
Mitigation Steps:
- Review and tighten firewall rules limiting access to the User-ID Authentication Portal
- Apply network segmentation to isolate management and authentication interfaces
- Monitor for suspicious network traffic targeting the Captive Portal service
- Implement intrusion detection/prevention signatures if available
Security Insight
This vulnerability illustrates a real timing gap in CVE scoring: vendor CNAs (Palo Alto here) can publish CVSS v4 scores at disclosure, while NIST’s v3.x analysis lags by days or weeks. Until NIST completes its analysis, automated tooling that only consumes v3.x metrics will see a CVE with no score and may under-rate it — even when the vendor flagged it CRITICAL and CISA added it to KEV. Organizations should treat any CISA KEV-listed vulnerability as urgent regardless of which CVSS version is published, and apply mitigations or patches immediately. For deeper analysis, see our related coverage on PAN-OS RCE CVE-2026-0300 exploited in the wild.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Public PoC References
Unverified third-party code
These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).
Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.
| Repository | Stars |
|---|---|
| qassam-315/PAN-OS-User-ID-Buffer-Overflow-PoC A research-grade Proof-of-Concept (PoC) for CVE-2026-0300, targeting the Buffer Overflow vulnerability in Palo Alto Networks PAN-OS User-ID™ Authentication Portal (CWE-787). | ★ 2 |
| mr-r3b00t/CVE-2026-0300 a honeypot for CVE-2026-0300 | ★ 1 |
| bannned-bit/CVE-2026-0300-PANOS Security Research and Proof-of-Concept (PoC) for CVE-2026-0300 : Unauthenticated Remote Code Execution (RCE) in Palo Alto Networks PAN-OS User-ID Portal. | ★ 0 |
Showing 3 of 3 known references. Source: nomi-sec/PoC-in-GitHub.
Related Advisories
A heap-based buffer overflow in the Kerberos hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted Kerberos hash file. The issu...
NICO-FTP 3.0.1.19 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by sending crafted FTP commands. Attackers can connect to...
JAD 1.5.8e-1kali1 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying oversized input that exceeds buffer boundaries. Attackers ...
MAWK 1.3.3-17 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting inadequate boundary checks on user-supplied input. Attackers ...