Overview Palo Alto Networks has issued a warning about a critical zero‑day vulnerability in the PAN‑OS User‑ID Authentication Portal (Captive Portal). Tracked as CVE‑2026‑0300, the flaw stems from a buffer overflow that allows unauthenticated attackers to execute arbitrary code with root privileges on exposed PA‑Series and VM‑Series firewalls.
Vulnerability Details
- Type: Buffer overflow → Remote Code Execution (RCE).
- Impact: Full root access on vulnerable firewalls.
- Attack Vector: Specially crafted packets sent to internet‑exposed portals.
- Severity: Highest possible rating by Palo Alto Networks.
- Exploitation: Limited but confirmed in the wild.
Exposure Landscape
- Shadowserver Data: Over 5,800 VM‑Series firewalls exposed online.
- Asia: 2,466 instances.
- North America: 1,998 instances.
- Risk Reduction: Customers restricting portals to trusted internal networks face lower exposure.
Mitigation Guidance
Until a patch is released:
- Restrict Access: Limit the User‑ID Authentication Portal to trusted zones only.
- Disable Portal: If restriction isn’t possible, disable the feature entirely.
- Check Settings: Navigate to Device → User Identification → Authentication Portal Settings → Enable Authentication Portal to confirm exposure.
- Monitor Traffic: Watch for unusual packets targeting the portal.
Historical Context
PAN‑OS firewalls have been repeatedly targeted:
- Nov 2024: Attacks chained two zero‑days, compromising thousands of firewalls.
- Dec 2024: DoS flaw exploited to force reboots and disable protections.
- Feb 2025: Attackers abused three additional flaws in internet‑facing management interfaces.
Final Thought
CVE‑2026‑0300 underscores the high‑value nature of firewall infrastructure. With exploitation already observed, organizations must act immediately to restrict or disable vulnerable portals. As Palo Alto Networks works on a patch, the lesson is clear: firewalls themselves are now prime targets, and their management interfaces must be treated as critical attack surfaces.
Leave a Reply