CVE-2026-0300: Palo Alto PAN-OS Captive Portal Root RCE, CVSS 9.3, on CISA KEV

This week in our InSEKurity of the Week series: a critical buffer overflow in the User-ID Authentication Portal — the artist formerly known as the “Captive Portal” — of Palo Alto Networks PAN-OS. The bug, CVE-2026-0300, lets a remote, unauthenticated attacker fire specially crafted packets at a vulnerable PA-Series or VM-Series firewall and land a shell as root on the firewall itself, with no credentials, no user interaction, and no rate-limited authentication path to chew through. CVSS 4.0 9.3 (Critical). Palo Alto’s threat-intel unit (Unit 42) attributes the in-the-wild exploitation to CL-STA-1132, a “likely state-sponsored” cluster that has been combining the bug with EarthWorm and ReverseSocks5 tunneling to enumerate Active Directory from the compromised firewall. CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities catalog on 2026-05-06 with a federal patching deadline of 2026-05-09. With roughly 225,000 internet-facing PAN-OS instances indexed by Shodan, this is the patch-now bug of the week for anyone running PAN-OS at the perimeter.

Summary

CVE ID: CVE-2026-0300
CVSS 4.0 Score: 9.3 (Critical) when access is exposed to untrusted networks; reduces to 8.7 (High) when access is restricted to adjacent/trusted networks
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CWE: CWE-787 (Out-of-bounds Write)
CAPEC: CAPEC-100 (Overflow Buffers)
Affected Software: Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls when the User-ID Authentication Portal (a.k.a. Captive Portal) is enabled and the management interface profile attached to the L3 interface has response pages enabled in a zone that accepts untrusted/internet traffic
Not Affected: Cloud NGFW, Prisma Access, Panorama (all versions and configurations)
Attack Vector: Network (specially crafted packets to the Authentication Portal service)
Authentication Required: No — pre-auth
User Interaction: None
Impact: Arbitrary code execution as root on the firewall data plane — full takeover of the device, including AD-joined service accounts, configuration secrets, IPsec/SSL VPN tunnels, and pivot capability into the internal network
Patch Status: Hotfix builds rolling out from 2026-05-13 through 2026-05-28 across the supported PAN-OS trains (10.2, 11.1, 11.2, 12.1)
Published: Palo Alto advisory 2026-05-05; updated 2026-05-07
Exploitation Status: Active in-the-wild exploitation observed since 2026-04-16; attributed to CL-STA-1132 (Unit 42); PoC code circulating on GitHub and underground forums; CISA KEV listed 2026-05-06 with federal due date 2026-05-09

What is the PAN-OS User-ID Authentication Portal?

PAN-OS is Palo Alto Networks’ flagship operating system for its next-generation firewalls — the PA-Series hardware appliances that sit at perimeters and segmentation boundaries of countless enterprise networks, and the VM-Series virtual firewalls that play the same role in public-cloud and virtualized environments. Palo Alto Networks is one of the dominant NGFW vendors worldwide, and PAN-OS handles north-south firewalling, IPSec / SSL VPN, URL filtering, IPS, decryption, and the User-ID subsystem that maps IP addresses to authenticated user identities for policy decisions.

The User-ID Authentication Portal — a feature better known to administrators by its historical name Captive Portal — is one of the User-ID identity-mapping mechanisms. When a request arrives from an IP the firewall cannot yet map to a user (no agent, no syslog, no XFF header), PAN-OS can transparently redirect the user’s browser to a web portal hosted on the firewall itself, prompt for credentials (Kerberos, NTLM, SAML, or local form-based), and bind the resulting username to the source IP for subsequent policy decisions. The portal is an HTTP/HTTPS service exposed on whichever L3 interfaces the administrator enables it on, listening on the firewall’s dataplane CPU.

The portal is not enabled by default, but it is widely deployed in environments that mix BYOD with guest networks, in higher-education networks that need to identify users behind NAT, in retail/hospitality SSIDs, and in any environment that needs identity-based policy without rolling out the dedicated User-ID Agent on every endpoint. Crucially, organizations that need browser-based authentication for guest or contractor access frequently expose the portal on internet-facing zones — which is exactly the configuration that turns CVE-2026-0300 from “needs to ride in over a VPN” into “needs a TCP connection from anywhere on the planet.”

Typical Use Cases

Guest / BYOD identity capture — WLANs and segmented user networks where endpoints are not domain-joined and need a browser-based login before policy can identify them.
Higher-education campus networks — shared NAT egress with per-user policy requires the portal to bind identities to source IPs.
Retail / hospitality SSIDs — captive portals as a terms-of-service splash page and AAA hand-off in one.
Branch offices without a User-ID agent — small sites that cannot host a dedicated User-ID agent fall back to the portal.
Contractor / third-party access — portal-driven enrollment for external users who would not otherwise be visible to PAN-OS policy.
Compliance audit trails — regulated environments that need a per-user record on the perimeter device.

Internet exposure of the portal is widespread. Shodan indexes roughly 225,000 internet-facing PAN-OS instances, of which a non-trivial slice has the User-ID Authentication Portal reachable. That is the population in scope for unauthenticated, root-level remote takeover via CVE-2026-0300.

Technical Analysis

Vulnerability Description

CVE-2026-0300 is an out-of-bounds write (CWE-787) in the PAN-OS service that handles requests to the User-ID Authentication Portal. A specially crafted packet sent to the portal’s listener triggers a buffer overflow on the dataplane, allowing an unauthenticated remote attacker to overwrite memory adjacent to the affected buffer and redirect execution into attacker-supplied shellcode. The shellcode runs in the context of the portal-handling worker — Unit 42’s analysis describes the observed in-the-wild payload as being injected into an nginx worker process — which on PAN-OS runs as root.

There is no authentication path involved, no certificate validation gating the overflow, no captcha, no rate limit on the vulnerable code path. The packet reaches the bug before the user is asked to log in, because the bug lives in the request-parsing layer that runs before credential validation. Palo Alto’s advisory notes the bug is automatable, which in the FIRST.org Exploit Maturity vocabulary means a single working exploit can be scripted to sweep the internet without manual interaction.

Root Cause Analysis

Internet-reachable parser before authentication: the User-ID Authentication Portal listener accepts and parses requests on the dataplane before the credential check, so the vulnerable code path is reachable pre-auth.
Out-of-bounds write on the request path: a buffer in the request-handling routine is written past its bounds when fed a specially crafted packet (CWE-787). Palo Alto has not publicly released the exact field or struct involved at time of writing — expected to be detailed in the next round of vendor write-ups after the patch window closes.
Dataplane process privilege: the affected worker (nginx, per Unit 42) runs as root on PAN-OS, so successful exploitation yields immediate root rather than a confined service user.
Optional feature, not opt-in restricted: the Authentication Portal is opt-in (off by default), but the administrative configuration surface does not warn against exposing the portal to untrusted zones. Enabling response pages on the management interface profile of an internet-facing L3 interface is a single checkbox.
Threat Prevention rule arrives late: Palo Alto’s content-based protection (Threat ID 510019) ships in Applications/Threats version 9097-10022 and requires PAN-OS 11.1 or later. Devices running 10.2 or earlier cannot use the content-based mitigation and must rely on configuration changes until they receive a hotfix.
Failover does not save you: Unit 42 documented a 2026-04-29 incident where the attacker triggered a SAML flood to force failover to a secondary device and then re-exploited the same bug against the now-active partner. A single patch wave that misses standby devices leaves a foothold.

Attack Vector

The end-to-end attack path is straightforward: identify a vulnerable, internet-exposed Authentication Portal; deliver a single crafted packet; gain root on the firewall; pivot to internal AD and lateral targets. The snippets below are illustrative only and intentionally non-functional — they show the shape of the attack so defenders can recognize the relevant primitives.

# Step 1: Discovery - identify candidate PAN-OS devices exposing the
# Authentication Portal. The portal returns a recognizable HTML
# response page on the configured L3 interface. An attacker would
# typically scan port 443 and look at the response body / TLS SNI
# rather than fingerprint a banner directly. As a defender you can
# replicate the same view on your own perimeter:
curl -sk -H "Host: vpn.example.com" https://198.51.100.10/ | \
    grep -Ei "User-ID|Authentication Portal|Captive Portal"

# Step 2: Confirm the portal is reachable from an untrusted source.
# A vulnerable configuration has response pages enabled on the
# management interface profile attached to the L3 interface in the
# untrust zone.
curl -sk -o /dev/null -w "%{http_code} %{redirect_url}\n" \
    https://198.51.100.10/

# Step 3: Send the crafted overflow packet. The publicly circulating
# PoC tooling targets the Authentication Portal request parser with
# a packet that overflows an out-of-bounds buffer (CWE-787) and
# redirects execution into shellcode injected into the nginx worker
# process. The shellcode pulls a stage-2 (EarthWorm SOCKS5 tunneler
# or ReverseSocks5 in the observed in-the-wild campaign) and
# establishes outbound C2.
#
# *** ILLUSTRATIVE ONLY - NOT A WORKING EXPLOIT ***
python3 - <<'PY'
import socket, ssl, sys
target = ("198.51.100.10", 443)
# The real exploit crafts a specific request that triggers the
# out-of-bounds write in the portal request parser. The shape of
# the packet is what defenders should recognize - oversized field
# in an unauthenticated portal request, followed by an obvious
# shellcode-shaped payload reaching the dataplane.
sock = ssl.wrap_socket(socket.create_connection(target))
sock.sendall(b"POST /unauth/Captive_Portal_Login.esp HTTP/1.1\r\n"
             b"Host: vpn.example.com\r\n"
             b"Content-Length: 4096\r\n\r\n" + b"A" * 4096)
sock.close()
PY

# Step 4: Post-exploitation - the in-the-wild operator (CL-STA-1132)
# stages tunneling tools on the firewall and enumerates AD via the
# firewall's service account.
#
# Observed artifacts on the firewall (from Unit 42's IoCs):
#   /var/tmp/linuxap        # EarthWorm SOCKS5
#   /var/tmp/linuxda        # EarthWorm SOCKS5
#   /var/tmp/linuxupdate    # EarthWorm SOCKS5
#   /tmp/.c                 # Python loader script
#   /tmp/R5  /var/R5        # ReverseSocks5
echo "If you see any of the paths above on a PAN-OS dataplane: incident."

A simplified packet-level view of the attack:

Attacker (Internet)                              PAN-OS firewall
       |                                                   |
       |  TCP/443 to Authentication Portal listener        |
       |-------------------------------------------------->|  nginx
       |                                                   |  worker
       |                                                   |  (root)
       |                                                   |
       |  POST to portal endpoint                          |  request
       |  oversized field -> OOB write (CWE-787)           |  parser
       |-------------------------------------------------->|  pre-auth
       |                                                   |
       |  shellcode runs in nginx worker as root           |  dataplane
       |                                                   |
       |  outbound stage-2: EarthWorm / ReverseSocks5      |  C2 from
       |<--------------------------------------------------|  firewall
       |                                                   |
       |  pivot: AD enumeration via firewall svc account   |  via
       |<--------------------------------------------------|  internal
       |                                                   |  interface
       v                                                   v

Exploitation in the Wild

Unit 42 reconstructed the in-the-wild timeline against confirmed victim environments:

2026-04-09 — First observed exploitation attempts; the initial volleys are unsuccessful as the operator tunes the exploit against the deployed PAN-OS variants.
2026-04-16 — First successful RCE; shellcode is injected into an nginx worker process running as root on the firewall.
2026-04-20 — Post-compromise housekeeping: the attacker clears the kernel ring buffer of crash messages, deletes core dumps, removes nginx crash records, and stages tunneling tools.
2026-04-29 — Operator triggers a SAML flood to force HA failover to the secondary device, then re-exploits the same bug against the now-active partner.
2026-05-05 — Palo Alto publishes the security advisory.
2026-05-06 — CISA adds CVE-2026-0300 to the Known Exploited Vulnerabilities catalog with a federal due date of 2026-05-09.
2026-05-07 — Advisory updated with attribution and acknowledgments.
2026-05-13 onward — First hotfix builds become available (12.1.4-h5); remaining trains roll out through 2026-05-28.

Unit 42 attributes the observed activity to CL-STA-1132, characterized as a “likely state-sponsored” cluster with disciplined operational tradecraft — non-persistent access windows below behavioral detection thresholds, preference for open-source dual-use tools over bespoke malware, and emphasis on identity-trust abuse rather than noisy network-layer pivoting.

Post-Exploitation Impact

Root on the firewall: full control of the data plane, including the ability to read and write the on-disk configuration, modify NAT/routing rules, decrypt SSL inspection key material, and disable logging.
AD enumeration via firewall service accounts: in observed cases the operator used the firewall’s domain-joined service account credentials to enumerate the domain root and DomainDnsZones from inside the network.
Outbound tunneling: EarthWorm and ReverseSocks5 stand up SOCKS5 channels from the firewall outward, letting the operator route attacker traffic through the perimeter device that is supposed to be filtering it.
HA failover abuse: triggering a SAML flood forces failover and gives the operator a second bite at the apple against the standby unit if it was not patched in the same maintenance window.
Log destruction: kernel crash messages, nginx crash records, core dumps, ptrace evidence, and SUID-binary artifacts are wiped to slow incident response.
VPN compromise: with root on PAN-OS, IPsec / SSL VPN keys, RADIUS shared secrets, and SAML signing material can all be exfiltrated — expanding the blast radius far beyond the firewall itself.
Persistence: although PAN-OS upgrade paths reset most data plane state, an operator with root can plant configuration changes, scheduled commits, or content updates that survive routine maintenance.

Impact Assessment

Immediate Impact

CVSS 9.3 Critical, fully pre-auth, automatable: any vulnerable internet-exposed instance is a candidate target for mass exploitation.
Active in-the-wild exploitation since 2026-04-16: this is not a “wait and see” CVE — attribution is to a likely state-sponsored cluster operating with discipline.
CISA KEV listed with a 2026-05-09 federal due date: regulators consider the threat established.
Roughly 225,000 internet-facing PAN-OS instances (Shodan) define the absolute upper bound of the exposed population; the actually-vulnerable slice is the subset with the Authentication Portal enabled on a response-page-enabled L3 interface.
Patch availability staggered through 2026-05-28: organizations on PAN-OS trains scheduled for the late hotfix windows must rely on configuration mitigations in the meantime.
HA failover does not protect you: standby devices share the same software image. Patch the pair, not the active node alone.

Affected Versions

PAN-OS Train	Vulnerable Below	First Fixed Build	Hotfix ETA
12.1	12.1.4-h5; 12.1.7	12.1.4-h5	2026-05-13
12.1	—	12.1.7	2026-05-28
11.2	11.2.4-h17; 11.2.7-h13; 11.2.10-h6; 11.2.12	Multiple per train	Rolling 2026-05-13 to 2026-05-28
11.1	11.1.4-h33; 11.1.6-h32; 11.1.7-h6; 11.1.10-h25; 11.1.13-h5; 11.1.15	Multiple per train	Rolling 2026-05-13 to 2026-05-28
10.2	10.2.7-h34; 10.2.10-h36; 10.2.13-h21; 10.2.16-h7; 10.2.18-h6	Multiple per train	Rolling 2026-05-13 to 2026-05-28
Cloud NGFW	—	Not affected	—
Prisma Access	—	Not affected	—
Panorama	—	Not affected	—

Cross-reference your specific minor version against the vendor advisory before declaring a device patched. PAN-OS hotfix builds (the -h suffix) are train-specific, so a 11.1.4 device needs 11.1.4-h33, not the same number on a different train.

Affected Environments

Internet-facing perimeter firewalls with the Authentication Portal enabled for guest / BYOD / contractor access.
Higher-education campus deployments that use the portal to map identities behind NAT.
Retail and hospitality SSID gateways that use PAN-OS portals as the captive-portal endpoint.
Healthcare and regulated environments that need per-user attribution on the perimeter device.
Federal civilian executive branch (FCEB) agencies subject to BOD 22-01 and the 2026-05-09 KEV deadline.
MSP / MSSP managed PAN-OS fleets, where a single missed standby device leaves a tenant exposed.

Attacker Profiles

State-sponsored intelligence collection (CL-STA-1132, per Unit 42): targets configurations of value — AD service accounts, VPN concentrators, decryption key material — and prizes stealth and persistence over noisy lateral movement.
Initial access brokers: pre-auth, root-level RCE on a perimeter device is highly marketable; expect listings on criminal forums within days of public PoC weaponization.
Ransomware affiliates: a compromised perimeter firewall yields RADIUS / SAML / VPN credentials and a stable foothold from which to disable security tooling before encryption.
Hacktivist operators: high-visibility, easy-to-script bug against a recognizable vendor — defacement campaigns and disruption are plausible secondary uses.
Red teams / authorized penetration testers: any engagement scope that includes the perimeter should treat this as the headline test case for May 2026.

Mitigation Strategies

Immediate Actions (Priority 1)

Identify which devices are in scope. The Authentication Portal must be enabled and response pages must be enabled on the interface management profile of an L3 interface in a zone that accepts untrusted traffic. Confirm in the GUI under Device > User Identification > Authentication Portal Settings and Network > Network Profiles > Interface Mgmt.

Restrict the Authentication Portal to trusted zones immediately. The vendor-recommended interim mitigation is to remove the portal’s reachability from untrusted networks until a hotfix is applied.

# On the firewall: Network > Network Profiles > Interface Mgmt
# - Find the management interface profile attached to internet-
#   facing L3 interfaces.
# - Disable "Response Pages" on that profile.
# - Alternatively, replace the profile on the untrusted-zone
#   interface with one that has Response Pages disabled.
#
# On the firewall: Device > User Identification > Authentication
# Portal Settings
# - If the Authentication Portal is not operationally required,
#   disable it entirely.
# - If required, ensure the portal is only reachable from
#   trusted zones and is rate-limited at upstream firewalls /
#   load balancers.

Apply the hotfix as soon as it ships for your train, and reboot the HA pair. Patch both the active and standby members in the same maintenance window. The 2026-04-29 incident in Unit 42’s report exists precisely because a single device in a pair was reachable.

# CLI on the firewall - check current version and request the
# available content / software upgrade information.
show system info | match sw-version
request system software check
request system software download version 12.1.4-h5
request system software install version 12.1.4-h5
request restart system

# For HA pairs, suspend the standby first, upgrade, swap roles,
# upgrade the (now-standby) original active, then resume HA.
request high-availability state suspend

Enable content-based protection if the train supports it. Threat ID 510019 ships in Applications/Threats content version 9097-10022 and is honored by PAN-OS 11.1 and later.

# On the firewall: Objects > Security Profiles > Vulnerability
# Protection - confirm Threat ID 510019 is set to "reset-both"
# or "drop" on all profiles attached to internet-facing zones.
#
# Verify the content version on the firewall:
show system info | match app-version

Treat any device that was internet-exposed since 2026-04-09 as potentially compromised. The earliest in-the-wild attempts predate the public disclosure by almost a month. Pull forensic snapshots of dataplane storage before applying the hotfix, since the install will overwrite artifacts.
Rotate everything PAN-OS could see: AD service accounts bound to the firewall, RADIUS shared secrets, SAML signing certificates, IKE pre-shared keys, SSL-decryption certificate authorities, SNMP community strings, API keys, admin passwords, and any cloud-provider IMDS-reachable role credentials.

Detection Measures

There are three classes of signal: (a) exploitation attempts observable at the network layer, (b) post-compromise artifacts on the firewall itself, and (c) lateral activity from the firewall into internal infrastructure.

# (a) NETWORK LAYER - Look for unauthenticated POSTs / oversized
# requests against Authentication Portal endpoints. The portal
# endpoint paths typically include /unauth/ and end with .esp.
# In your perimeter logs (load balancer, upstream firewall, or
# CDN if you front PAN-OS):
grep -E "POST .*/(unauth|Captive_Portal_Login)\.esp" access.log | \
    awk '$10 > 8192'  # oversized requests are suspicious

# (b) ON-FIREWALL ARTIFACTS - Unit 42's published IoCs. From the
# CLI or via debug shell with vendor support engaged. These are
# clear incident-mode indicators - do not "just delete" them;
# preserve forensic state before remediation.
debug shell run                     # invoke only with TAC approval
ls -la /var/tmp/linuxap \
       /var/tmp/linuxda \
       /var/tmp/linuxupdate
ls -la /tmp/.c /tmp/R5 /var/R5

# (c) LATERAL FROM FIREWALL - In your domain controllers' Security
# logs, watch for unusual LDAP enumeration from the firewall's
# AD service account, especially "DomainDnsZones" and domain root
# queries originating from the firewall's management or service
# IP. SIEM queries:
#   src.ip = <firewall> AND event.action = LDAPBindRequest
#   src.ip = <firewall> AND ldap.base = "DC=...,DC=local"

Known IoCs (per Unit 42):

IP addresses: 67.206.213[.]86, 136.0.8[.]48, 146.70.100[.]69 (C2 staging), 149.104.66[.]84
Staging URL: hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm download)
File hash: e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm SOCKS5)
Artifacts on disk: /var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate, /tmp/.c, /tmp/R5, /var/R5
HTTP User-Agent: "Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64)" (note the implausible “Safari/532.31 Mozilla/5.5” string — a fingerprint by itself)

SIEM detection content (Sigma-style sketch):

title: Suspicious PAN-OS Captive Portal POST with Oversized Body
status: experimental
logsource:
  product: panos
  service: traffic
detection:
  selection:
    application: ssl
    destination_port: 443
    bytes_received: ">8192"
    url_pattern|contains:
      - /unauth/
      - Captive_Portal_Login.esp
    source_zone_type: untrust
  condition: selection
level: high
tags:
  - cve.2026.0300
  - attack.initial_access
  - attack.t1190

Long-term Security Improvements

Treat perimeter firewalls as Tier-0 assets. PAN-OS, FortiOS, ScreenOS, SonicOS — pick your vendor — the device that filters your network is also a juicy target because it sees everything. Tier-0 means same patch SLA as the domain controller and same logging discipline.
Never expose identity portals to the public internet unless you really need to. The 2026-04-09 in-the-wild start date is a reminder that “guest WiFi splash page” and “perimeter root RCE” can be the same hostname.
Patch HA pairs together, always. The CL-STA-1132 SAML-flood failover trick is not unique to this CVE — the same logic applies to every HA-paired security appliance vulnerability.
Aggressive vendor-advisory SLAs. A 7-day SLA for vendor security advisories on perimeter equipment is a sensible floor; CISA-KEV-listed advisories deserve 72 hours. Live-patch-style hotfix consumption requires both subscription and a patch cadence you can sustain.
Egress filtering from your firewalls. Your firewalls should not be able to dial out to arbitrary C2 endpoints. Restrict the management plane to your patch server, NTP, syslog, DNS, and the licensing endpoint — and alert on anything else.
AD service-account isolation: the credential the firewall uses for User-ID lookups should have the absolute minimum LDAP permissions required, audited at every change. Compromise of the firewall should not yield Domain Admin equivalents.
Rotate VPN PSKs / SSL-decryption CAs on a schedule, not just on incidents. If you can’t rotate quickly when needed, you’ll be tempted to skip the rotation when an incident requires one.
Threat-Prevention content currency. Threat IDs ship in content updates; if your content versions are weeks old you will miss bug-class signatures (like 510019) on the day they matter most.

Why is this Critical?

Pre-auth, root, network-reachable: the worst combination of CVSS factors, on a class of device that sits at the edge.
Active in-the-wild exploitation by a likely state-sponsored cluster: this is not theoretical; attacker tradecraft is documented and validated.
CISA KEV with a 2026-05-09 federal due date: regulators consider the bar already crossed.
Roughly 225,000 internet-facing PAN-OS instances (Shodan): the addressable population is enormous, and a subset is in scope for unauthenticated takeover.
HA failover does not save you: standby devices share the bug, and operators have been observed coercing failover to extend their dwell time.
Firewall compromise = AD compromise (in observed cases): User-ID service accounts and AD enumeration are the documented post-exploitation primitives.
Patch availability staggered through 2026-05-28: even diligent operators on the latest train get the fix on day one; everyone else has to bridge the gap with configuration mitigations.

Timeline and Disclosure

2026-04-09 — First observed in-the-wild exploitation attempts (initially unsuccessful) targeting internet-exposed Authentication Portals.
2026-04-16 — First successful RCE in the wild; shellcode injected into nginx worker process; CL-STA-1132 activity begins in earnest.
2026-04-20 — Operator clears crash messages, deletes core dumps, removes ptrace evidence on compromised devices.
2026-04-29 — SAML-flood-triggered HA failover; operator re-exploits the newly active secondary device.
2026-05-05 — Palo Alto Networks publishes security advisory CVE-2026-0300 with CVSS 9.3.
2026-05-06 — CISA adds CVE-2026-0300 to the Known Exploited Vulnerabilities catalog with federal due date 2026-05-09.
2026-05-07 — Vendor advisory updated with attribution to CL-STA-1132 and acknowledgments.
2026-05-13 — First hotfix train (12.1.4-h5) shipping.
2026-05-13 to 2026-05-28 — Remaining hotfix trains (12.1.7, 11.2.x, 11.1.x, 10.2.x) rolling out.

Resources and References

CVE: CVE-2026-0300 — MITRE
Vendor Advisory: CVE-2026-0300 — Palo Alto Networks Security Advisories
Unit 42 Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
CISA KEV Catalog: Known Exploited Vulnerabilities Catalog
CWE: CWE-787: Out-of-bounds Write

SEKurity Supports You

A pre-authenticated root RCE on the device that filters your network is one of the most consequential failure modes in modern infrastructure security. Perimeter firewalls were sold as the wall around the castle; CVE-2026-0300 is a reminder that the wall has a service running on it, and that service is on the same internet as everyone else’s. We help organizations measure their real exposure to perimeter-equipment CVEs across PAN-OS, FortiOS, and other NGFW estates, validate that hotfixes have actually landed on both HA peers, rehearse post-compromise scenarios that assume a firewall has already been owned, and stress-test detection content against the kind of stealthy tradecraft that CL-STA-1132 is exporting to the rest of the threat-actor market.

Our Services

Penetration Testing: Web applications, mobile apps (Android & iOS), SAP systems, Active Directory
Large-Scale Attacks: Perimeter testing, IT infrastructure testing, Red Team engagements
Security Awareness: Phishing campaigns, hacking demonstrations

Act now — before attackers do.

Contact:

Website: www.sekurity.de

Inquiries: www.sekurity.de/kontakt

LinkedIn: SEKurity GmbH

Your SEKurity Team — Your Trusted Adversaries

The security of your network perimeter is our drive.

InSEKurity of the Week (CW19/2026): Palo Alto PAN-OS User-ID Portal Unauthenticated Root RCE (CVE-2026-0300)