Critical Vulnerability CVE-2026-0300 in Palo Alto PAN-OS

The technical nature of CVE-2026-0300 lies in an unauthorized buffer overflow in the User-ID Authentication Portal (Captive Portal) component. Exploiting this vulnerability allows attackers to initiate remote code execution with root privileges on PA-Series and VM-Series devices.

It is important to note that platforms Prisma Access, Cloud NGFW, and Panorama are not affected by this threat, indicating the security of cloud architecture in this specific case. Analysts from Unit 42 note that the risk is significantly reduced if portal access is restricted to trusted internal IP addresses. However, systems exposed to the public network remain the main target for cybercriminals.

Understanding the actions of attackers after breaching the perimeter is critical for timely detection of compromise indicators. After successful exploitation, attackers perform shell code injection directly into the workflow of the nginx web server on the device itself. This creates a covert channel that is difficult to detect using standard monitoring tools. To secure their presence in the infrastructure, cybercriminals carry out anti-forensic cleaning of system logs to hide traces of their intrusion.

Subsequently, to ensure continuous remote control (C2) and command transmission, specialized network tunneling tools such as EarthWorm and ReverseSocks5 are deployed.

Recorded attack scenarios demonstrate how capturing a firewall leads to deep compromise of the internal network. After gaining access to the device, attackers extract legitimate credentials from its memory. Using these corporate records, they mimic requests from trusted equipment to Active Directory servers. This allows for detailed audit (enumeration) of directory objects and identification of high-privilege accounts. Thus, a single gap in the perimeter quickly converts into a complex threat to the entire access management infrastructure.

Operational monitoring of the digital footprint is a basic requirement for protection against such mass exploitations. Data from the Censys platform indicates that more than 263,000 exposed instances of PAN-OS infrastructures have been found in the global network. Although not all of them publicly expose the User-ID Authentication Portal, the overall potential attack area remains significant. Cybersecurity teams are advised to scan their own infrastructure using search queries such as “vendor: “PaloAltoNetworks” and product: “PAN-OS””. Regular auditing of exposed services allows timely detection and removal of forgotten configurations from public access.

Responding to CVE-2026-0300 requires a combination of immediate configuration changes and scheduled system updates. Until the deployment of patched PAN-OS versions, the company strongly advises restricting routing to the authentication portal exclusively to trusted internal networks. If this function is not critical to business processes, it should be completely disabled. In parallel, the developer has released official updates for versions PAN-OS 12.1, 11.2, 11.1 and 10.2, which must be promptly integrated into production environments.

The exploitation of a critical vulnerability in firewalls proves that perimeter security no longer guarantees absolute protection of corporate resources. A situation where a compromised router or firewall becomes a launchpad for attacks on Active Directory infrastructure underscores the need for micro-segmentation and a transition to Zero Trust architecture. Only a systematic approach that encompasses continuous auditing, access control, and rapid response ensures reliable business continuity.

As a distributor of information security solutions, iIT Distribution assists partners and clients in building reliable and resilient protection architectures. The expert team at iITD provides complete project support—from extended technical consultation to selecting optimal equipment and expertise in implementing Zero Trust concepts in modern corporate networks.