Full Report
Palo Alto Networks has disclosed that threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as early as April 9, 2026. The vulnerability in question is CVE-2026-0300 (CVSS score: 9.3/8.7), a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software that could allow an unauthenticated attacker
Analysis Summary
# Vulnerability: Palo Alto Networks PAN-OS User-ID Authentication Portal RCE
## CVE Details
- **CVE ID:** CVE-2026-0300
- **CVSS Score:** 9.3 (Critical) / 8.7 (High)
- **CWE:** CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** Palo Alto Networks PAN-OS software.
- **Versions:** Specific version ranges are not detailed in the report, but the flaw affects the User-ID Authentication Portal service.
- **Configurations:** Systems with the User-ID Authentication Portal (Captive Portal) service enabled and exposed.
## Vulnerability Description
CVE-2026-0300 is a critical buffer overflow vulnerability residing in the **User-ID Authentication Portal service**. The flaw allows an unauthenticated, remote attacker to send specially crafted packets to the service. If successful, the attacker can overflow the buffer to inject and execute arbitrary shellcode within the context of an `nginx` worker process, ultimately granting the attacker **root privileges** on the affected appliance.
## Exploitation
- **Status:** **Exploited in the wild.** Limited exploitation began as early as April 9, 2026, by a suspected state-sponsored threat cluster (CL-STA-1132).
- **Complexity:** Low (Targeted by sophisticated actors using automated shellcode injection).
- **Attack Vector:** Network (Remote, unauthenticated).
## Impact
- **Confidentiality:** Critical (Enables full root access and Active Directory enumeration).
- **Integrity:** Critical (Attackers can modify system logs and delete crash files to hide tracks).
- **Availability:** High (Potential for system instability; attackers observed clearing kernel/crash messages).
## Remediation
### Patches
- Official fixes are scheduled to be released by Palo Alto Networks starting **May 13, 2026**. Admins should monitor the vendor advisory for specific sub-version updates.
### Workarounds
- **Restrict Access:** Limit access to the PAN-OS User-ID Authentication Portal to trusted source IP addresses or zones only.
- **Disable Service:** If the User-ID Authentication Portal is not required for business operations, disable the service entirely to eliminate the attack surface.
## Detection
- **Indicators of Compromise (IoCs):**
- Presence of open-source tunneling tools: **EarthWorm** and **ReverseSocks5**.
- Evidence of Active Directory (AD) enumeration.
- **Detection Methods:**
- Monitor for unauthorized or unexpected `nginx` worker process crashes.
- Audit system logs for the manual deletion of "crash kernel messages," "nginx crash entries," or "crash core dump files."
- Look for intermittent interactive sessions and unauthorized lateral movement attempts.
## References
- **Palo Alto Networks Unit 42:** hxxps[://]unit42[.]paloaltonetworks[.]com/captive-portal-zero-day/
- **The Hacker News:** hxxps[://]thehackernews[.]com/2026/05/pan-os-rce-exploit-under-active-use[.]html