PAN-OS CVE-2026-0300 root RCE via Captive Portal already exploited with AD enumeration and SOCKS tunneling

TL;DR

Scope PA-Series / VM-Series running PAN-OS with User-ID Authentication Portal enabled and reachable from untrusted zones or the public internet. CVSS 9.3 root RCE, no authentication required

Action Patches roll out starting May 13, 2026. Before then, restrict Portal access to trusted zones only, or disable the Portal if unused

Interim Disable Response Pages on internet-facing interfaces, enable Threat ID 510019, check for nginx crash log gaps, core dump deletions, AD enumeration from firewall service accounts, and EarthWorm / ReverseSocks5 downloads

Palo Alto Networks disclosed CVE-2026-0300 on May 5, 2026. It is a buffer overflow in the User-ID Authentication Portal (Captive Portal) on PAN-OS.
On PA-Series and VM-Series where this Portal is reachable from untrusted IPs or the public internet, an unauthenticated attacker can achieve arbitrary code execution as root.

Unit 42’s Threat Brief on May 6 moved this from “dangerous unpatched CVE” to “already exploited.”
The group tracked as CL-STA-1132, suspected to be state-sponsored, had already achieved RCE and injected shellcode into the nginx worker process.
The Hacker News follow-up provided a timeline: failed attempts around April 9, successful exploitation a week later, and lateral expansion to a second device on April 29.

PAN-OS and the Captive Portal

PAN-OS is the dedicated operating system running on Palo Alto Networks next-generation firewalls.
It powers the PA-Series hardware appliances and VM-Series virtual machines, used for perimeter defense and datacenter segmentation.
Panorama provides centralized multi-device management, while Prisma Access and Cloud NGFW are the cloud-delivered variants (this vulnerability affects PA-Series and VM-Series only).

The User-ID Authentication Portal (Captive Portal) is an authentication gate running on PAN-OS.
When an unauthenticated user tries to access the network, the firewall redirects them to a web login page and blocks traffic until they authenticate.
The concept is similar to the login screens at airports or cafes, but in enterprise PAN-OS environments the Portal integrates with Active Directory.
After authentication, the IP-to-AD-account mapping feeds the User-ID feature, which applies firewall policies on a per-user basis.

The Portal’s AD integration is what makes this vulnerability particularly impactful.
Compromising the Portal gives the attacker not just firewall root privileges but also a foothold into the internal identity infrastructure.

Only internet-exposed Captive Portals are in the blast radius

The advisory’s exposure conditions are specific.
The vulnerability applies when User-ID Authentication Portal Settings has Authentication Portal enabled, Response Pages are enabled on the Interface Management Profile, and that profile is attached to an L3 interface receiving untrusted or internet traffic.

Prisma Access, Cloud NGFW, and Panorama appliances are not affected.
If the Portal is unused or only reachable from trusted internal IPs, the risk drops substantially.
Conversely, if a perimeter firewall exposes the Captive Portal to the internet, this is not a “wait for the patch” situation but a “cut exposure now” situation.

Affected versions span PAN-OS 12.1, 11.2, 11.1, and 10.2. Patch ETAs vary by release train, split between May 13 and May 28. As of May 9, 2026, several trains do not yet have a “just update” option available.

Train	Affected examples	Patch ETA
PAN-OS 12.1	Below 12.1.4-h5, below 12.1.7	12.1.4-h5 on May 13, 12.1.7 on May 28
PAN-OS 11.2	Below 11.2.4-h17, below 11.2.7-h13, below 11.2.10-h6, below 11.2.12	May 13 or May 28
PAN-OS 11.1	Below 11.1.4-h33, below 11.1.6-h32, below 11.1.10-h25, etc.	May 13 or May 28
PAN-OS 10.2	Below 10.2.7-h34, below 10.2.10-h36, below 10.2.18-h6, etc.	May 13 or May 28

Reading the vendor advisory directly is more useful than relying on NVD or scanner CVSS scores here.
As covered in NIST NVD stopping full CVE enrichment, for actively exploited CVEs the practical triage workflow is to cross-reference CISA KEV, vendor advisories, and investigation reports like Unit 42’s.

Post-compromise activity went well beyond the firewall

The bad news from Unit 42’s report is what happened after RCE.
The attackers deleted crash kernel messages, nginx crash entries, nginx crash records, and crash core dump files immediately after initial compromise.
”No Portal crash logs so we’re clean” does not hold.

After that, the attackers used the firewall’s service account credentials to enumerate Active Directory.
If the firewall is treated purely as a perimeter device, this stage gets missed.
The User-ID subsystem inherently has an AD relationship for authentication and user identification, so a compromised Portal naturally leads to the internal identity infrastructure.

On April 29, the attackers used a SAML flood to promote a second device to Active from the previously compromised one, inheriting the same internet-facing traffic. RCE was then achieved on the second device as well.
EarthWorm and ReverseSocks5 were dropped at that point.
Both are open-source tunneling tools. ReverseSocks5 initiates an outbound connection from the victim, allowing the attacker to enter the internal network via SOCKS5.

A similar pattern appeared in APT28’s TP-Link router DNS hijacking.
Edge devices are hard to instrument with EDR, logs are thin, and post-compromise access spans both network and authentication planes.
With PAN-OS the target is an enterprise firewall rather than a SOHO router, so the privileges and internal reach are considerably heavier.

Cutting the entry point before patches land

The official interim mitigations are twofold.
Restrict User-ID Authentication Portal access to trusted zones only, and disable Response Pages on Interface Management Profiles attached to L3 interfaces receiving untrusted or internet traffic.
If the Portal is not in use, disable it.

For environments with a Threat Prevention subscription, enable Threat ID 510019 from Applications and Threats content version 9097-10022 or later.
Decoder support for this Threat ID requires PAN-OS 11.1 or above.
Environments still running 10.2 should not lean too heavily on the signature-based mitigation alone.

RCE through exposed management surfaces shares operational patterns regardless of the specific entry point.
In ActiveMQ Jolokia API RCE (CVE-2026-34197), the story was “if the management API faces the internet, authentication presence or default credentials determine the outcome.”
For PAN-OS the entry is the Captive Portal rather than a management API, but the dynamic is the same: an externally reachable product service that leads straight to the product’s highest privilege level.

Forensic scope extends beyond Portal logs

Investigation should not stop at User-ID Authentication Portal access logs.
Following Unit 42’s findings, indicators to look for include anomalous shellcode injection into the nginx worker process, gaps in crash-related logs, core dump deletions, audit log entries showing ptrace injection evidence removal, and SUID privilege escalation binary cleanup.

On the network side, look for outbound HTTP/HTTPS fetches originating from the firewall itself.
EarthWorm and ReverseSocks5 downloads, outbound SOCKS tunnels, and long-duration sessions to unusual destinations should be correlated with Portal exposure status and timeline.

AD logs matter too.
Look for domain root and DomainDnsZones enumeration using firewall service account credentials, LDAP queries that fall outside normal User-ID operations, and concentrated bursts of authentication failures or successes.
Rebooting the firewall and applying the patch does not erase stolen credentials or the results of internal enumeration.