State‑Sponsored Actors Gain Root on Palo Alto PAN‑OS via Captive Portal Buffer Overflow

Vulnerability Overview

CVE‑2026‑0300 is a critical buffer‑overflow (CWE‑787) in the User‑ID Authentication Portal (Captive Portal) of PAN‑OS. The flaw allows an unauthenticated network attacker to execute arbitrary code with root privileges on PA‑Series and VM‑Series firewalls.

Timeline of Exploitation

2026‑04‑09 – Initial probing of the exposed Captive Portal.

Mid‑April 2026 – Payload refined, overflow triggered, shellcode injected into the nginx worker process.

2026‑04‑20 – Deployment of the publicly available tunneling tools EarthWorm and ReverseSocks5.

2026‑04‑29 – SAML flood forced a standby HA device to take over traffic, expanding the attack surface.

2026‑05‑05 – Threat Prevention signature released for PAN‑OS 11.1+.

2026‑05‑06 – Official CVE‑2026‑0300 advisory published.

2026‑05‑13 to 28 – Patch releases for affected branches rolled out.

Root Cause Analysis

The vulnerability resides in the Captive Portal service, which performs user authentication and portal redirection before network access. A crafted network packet causes an out‑of‑bounds write, resulting in remote code execution without any credentials.

Attack vector: Network

Complexity: Low

Required privileges: None

User interaction: None

Vulnerability status: Actively exploited (ATTACKED)

Affected PAN‑OS Versions

PAN‑OS 10.2 – Fixed in 10.2.7‑h34, 10.2.10‑h36, 10.2.13‑h21, 10.2.16‑h7, 10.2.18‑h6 (release 2026‑05‑13).

PAN‑OS 11.1 – Fixed in 11.1.4‑h33, 11.1.6‑h32, 11.1.7‑h6, 11.1.10‑h25, 11.1.13‑h5, 11.1.15 (release 2026‑05‑20).

PAN‑OS 11.2 – Fixed in 11.2.4‑h17, 11.2.7‑h13, 11.2.10‑h6, 11.2.12 (release 2026‑05‑28).

PAN‑OS 12.1 – Fixed in 12.1.4‑h5, 12.1.7 (release 2026‑05‑20).

Attacker Profile (CL‑STA‑1132)

Attack Chain

Initial Access (2026‑04‑09) : Probing of the public Captive Portal, followed by a successful overflow that injected shellcode into the nginx worker.

Persistence and Cleanup (within one week) : Removal of crash kernel messages, deletion of nginx crash entries, and removal of core dump files.

Tunnel Deployment (four days later) : Installation of two publicly available tools:

EarthWorm – Cross‑platform SOCKS v5 proxy supporting forward, reverse, port‑forwarding, and multi‑hop tunnels; previously used by APT41, Volt Typhoon, and Gelsemium.

ReverseSocks5 – Reverse SOCKS5 tunnel that initiates outbound connections from the compromised host.

Lateral Movement : Using firewall service‑account credentials, the attackers enumerated Active Directory domain roots and DNS zones.

Attack Surface Expansion (2026‑04‑29) : SAML flood forced a high‑availability standby device to assume traffic, enabling a second RCE and repeat tunnel deployment.

Impact Assessment

Directly Affected

PA‑Series physical firewalls with exposed Captive Portal.

VM‑Series virtual firewalls under the same conditions.

Enterprise perimeter networks, granting attackers internal network access.

Unaffected

Prisma Access (CASB).

Cloud NGFW.

Panorama management platform.

Deployments where Captive Portal is limited to trusted internal networks.

Attacker Capabilities Post‑Compromise

Root access provides full control: reading/modifying traffic, changing firewall policies, extracting VPN credentials and certificates, moving laterally, installing persistent backdoors, and erasing forensic evidence.

Immediate Mitigation Actions

Priority 1 – Execute Now

Identify exposed Captive Portal interfaces via Device → User Identification → Authentication Portal Settings.

Restrict portal access to trusted internal IP ranges only.

Disable Response Pages on any L3 interfaces exposed to untrusted networks.

Priority 2 – Next Steps

Install the Threat Prevention signature released on 2026‑05‑05 for PAN‑OS 11.1+.

Monitor logs for abnormal logins, nginx crashes, missing crash dumps, and unknown outbound SOCKS traffic.

Audit AD service‑account permissions on the firewall and apply least‑privilege principles.

Leverage Cortex Xpanse (if available) to automatically discover exposed User‑ID portals.

Long‑Term Remediation Plan

P0 : Apply the appropriate patch for each affected branch within 24 hours of release.

P0 : Audit firewall logs for suspicious activity since 2026‑04‑09 (immediate).

P1 : Rotate all AD service‑account credentials stored on firewalls after patch installation.

P1 : Re‑evaluate the business necessity of exposing Captive Portal to the Internet (within a week).

P2 : Perform full forensic analysis on compromised devices (immediate).

P2 : Establish an internal SLA to address Critical‑severity CVEs within 48 hours (next security governance meeting).

P3 : Review all publicly exposed management interfaces and enforce network segmentation (within the quarter).

Compliance and Regulatory Guidance

PCI‑DSS: Assess reporting obligations under clause 12.10 if the firewall protects cardholder data.

China’s Multi‑Level Protection (MLP) 2.0: Report incidents for Level 3+ systems.

GDPR: Trigger the 72‑hour breach notification if personal data may have been exposed.

CISA / Industry regulations: Follow mandatory cyber‑incident sharing statutes.

Lessons Learned

Boundary devices are high‑value targets; their compromise breaks network isolation.

Minimize public exposure of authentication portals; they are intended for internal use.

Vulnerability‑remediation windows are shrinking; attackers can complete full kill‑chains within weeks.

State‑backed actors prioritize stealth, quickly cleaning logs and crash dumps.

Reuse of publicly available tunneling tools provides strong attribution signals.