PAN-OS Captive Portal zero-day vulnerability exploited for remote code execution on firewalls

A critical vulnerability (CVE-2026-0300) has been discovered in the PAN-OS User-ID Captive Portal service, allowing unauthenticated attackers to execute remote code with root-level privileges. The flaw is caused by a buffer overflow issue and can be exploited simply by sending specially crafted network packets, making exposed firewall systems highly vulnerable.

PAN-OS Captive Portal zero-day vulnerability exploited for remote code execution on firewallsPAN-OS Captive Portal zero-day vulnerability exploited for remote code execution on firewalls

Security researchers have observed limited but highly targeted exploitation linked to suspected state-sponsored threat actors. In successful attacks, adversaries gained initial access, injected shellcode into system processes, and quickly performed log cleanup to avoid detection. Post-compromise activity included Active Directory enumeration using stolen credentials and deployment of tunneling tools like EarthWorm and ReverseSocks5 to maintain covert access and enable internal network pivoting.

The campaign highlights a growing focus on edge-network devices such as firewalls, which provide high-level access but often lack strong endpoint security controls. Organizations are strongly advised to restrict or disable the Captive Portal if not required, apply the latest security updates, and monitor for suspicious authentication and network tunneling activity to reduce risk of compromise.

 Don't trust a single layer. Upgrade to NPAV EPS — Because your Defender can't defend itself.