Safeguard
Vulnerability Response

CVE-2026-0300 in Palo Alto PAN-OS: Patch Posture & SBOM Response

PAN-OS Captive Portal pre-auth RCE scored CVSS 9.3 and landed on CISA KEV with a three-day patch deadline. Defender playbook below.

Nayan Dey
Vulnerability Researcher
7 min read

On May 5, 2026, Palo Alto Networks published security advisory PAN-SA-2026-0001 disclosing CVE-2026-0300, a critical buffer overflow in the User-ID Authentication Portal (Captive Portal) of PAN-OS that allows an unauthenticated remote attacker to execute arbitrary code with root privileges. The CVSS v3.1 base score is 9.3 (vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). CISA added the CVE to its Known Exploited Vulnerabilities catalog on May 6, 2026, with a remediation due date of May 9, 2026 — a three-day window matching the urgency of CVE-2024-3400 from 2024. Palo Alto confirms active exploitation against PA-Series and VM-Series firewalls configured with Captive Portal. For every defender running PAN-OS as a perimeter firewall with user authentication, this is the most important patch event of Q2 2026.

What does the vendor advisory say?

PAN-SA-2026-0001 describes CVE-2026-0300 as a stack-based buffer overflow in the Captive Portal authentication handler that processes the HTTP Cookie and Authorization headers during the pre-authentication challenge. The vulnerability is reachable when User-ID is enabled on an interface with the captive-portal profile and a virtual server is bound to that interface — the standard configuration for organizations that require web-based authentication before granting layer-7 firewall access to corporate resources. Successful exploitation results in code execution with root privileges on the firewall's management plane, which is equivalent to total compromise of the device. The vendor's advisory explicitly states that attempted exploitation in the wild has been observed, and that the bug cannot be mitigated by Threat Prevention signatures alone because the trigger lives in the pre-auth code path.

Which versions are affected and which are patched?

PAN-SA-2026-0001 lists the following affected and fixed PAN-OS trains:

  • PAN-OS 11.2 — affected versions <= 11.2.6; fixed in 11.2.7 (shipped May 13, 2026)
  • PAN-OS 11.1 — affected versions <= 11.1.10; fixed in 11.1.11 (shipped May 13, 2026)
  • PAN-OS 11.0 — affected versions <= 11.0.15; fixed in 11.0.16 (shipped May 13, 2026)
  • PAN-OS 10.2 — affected versions <= 10.2.14; fixed in 10.2.15 (shipped May 28, 2026)
  • PAN-OS 10.1 — affected versions <= 10.1.16; fixed in 10.1.17 (shipped May 28, 2026)
  • PAN-OS 9.1 — END OF LIFE, no fix; migrate to 10.2.15 minimum

The advisory notes that only PA-Series hardware firewalls and VM-Series virtual firewalls are affected. Panorama and Prisma Access (cloud-hosted) are not affected because they do not run the Captive Portal feature. Cloud NGFW for AWS and Cloud NGFW for Azure receive the fix automatically through Palo Alto's managed-service patching SLA — verify the underlying engine version in the AWS/Azure Cloud NGFW console.

Verify the running version with show system info | match version from the CLI or by checking Dashboard > General Information in the Panorama UI.

Is it in CISA KEV and what is the EPSS score?

CISA added CVE-2026-0300 to KEV on May 6, 2026, with a three-day remediation deadline of May 9, 2026. The KEV entry tags the vulnerability with known to be used in ransomware campaigns: Unknown but cross-references Palo Alto's May 5 confirmation of in-the-wild exploitation. EPSS at disclosure was 0.42 — unusually high for a freshly-published CVE — reflecting that the vendor advisory was published after rather than before exploitation began. CISA's accompanying Emergency Directive ED-26-02 mandates that FCEB agencies disable Captive Portal until the patch is applied, reset all administrator credentials on affected firewalls, and report compromise indicators within 24 hours.

How do you find vulnerable instances in your SBOM?

PAN-OS appliances expose their version through the XML API as well as the CLI. For SBOM-driven inventories, ingest the /api/?type=op&cmd=<show><system><info></info></system></show> response into the asset graph nightly. Safeguard saved query:

# Identify every PAN-OS firewall still on a pre-fix build
safeguard scan --cve CVE-2026-0300 --product pan-os

# Filter to firewalls with Captive Portal enabled (the prerequisite for exploitation)
safeguard assets list \
  --filter "vendor=palo-alto AND product=pan-os AND feature=captive-portal" \
  --include-cve CVE-2026-0300

For shops without firmware SBOMs, the cheapest enumeration is a scripted XML API call per management IP, parsed and compared against the fixed-build matrix. Panorama users can list managed firewall versions via show devices all from the CLI or via the Panorama > Managed Devices dashboard. Cross-reference against your CMDB to ensure HA pairs and DR-site firewalls are not skipped.

What is the recommended patch rollout?

Palo Alto's recommended sequence:

  1. Disable Captive Portal immediately on internet-exposed interfaces if the patch cannot be applied within the CISA window. From the UI: Network > Captive Portal Settings > uncheck Enable Captive Portal. From the CLI: set network captive-portal disable yes. Commit the change.
  2. Download the patched PAN-OS image from support.paloaltonetworks.com via the Customer Support Portal.
  3. For HA pairs, upgrade the passive unit first using the standard ISSU-equivalent procedure: pre-stage the image, run request system software check, install with request system software install version X.Y.Z, reboot, then force failover with request high-availability state suspend. Repeat for the new passive.
  4. For standalone firewalls, schedule a maintenance window and reboot after installation.
  5. Verify version with show system info | match version.
  6. Re-enable Captive Portal after confirming the patched build is running.
  7. Reset all administrator credentials and review the system.log for anomalous Captive Portal access during the exposure window. CISA ED-26-02 makes this step non-optional for federal agencies; commercial enterprises should follow suit.

Compensating controls while patching: in addition to disabling Captive Portal, restrict access to the management interface to known administrative IP ranges via Network > Interface Mgmt. Apply Threat Prevention signature Palo Alto Networks Threat ID 95274 (published May 5, 2026) which blocks known exploit payloads at the data plane — but per the vendor advisory, this is not a substitute for the patch because the exploit can mutate around the signature.

What detections does the vendor or CISA publish?

Palo Alto published Threat Prevention signatures 95274, 95275, and 95276 covering the malformed HTTP requests that reach the vulnerable code path. CISA AA26-126A published a Sigma rule for the network access pattern, which defenders should import directly:

# Source: CISA AA26-126A PAN-OS Captive Portal exploitation, 2026-05-06
title: PAN-OS Captive Portal Suspicious Pre-Auth Header Burst
status: stable
logsource:
  product: pan-os
  service: traffic
detection:
  selection:
    src_zone: 'untrust'
    dst_port:
      - 6080
      - 6081
      - 6082
    http_method: 'POST'
    http_uri|contains: '/auth/login'
  threshold:
    request_body_size: '>2048'
    src_ip|count_gt: 25
  condition: selection AND threshold
fields:
  - src_ip
  - dst_ip
  - http_uri
  - bytes_sent
  - action
level: high

CISA also published YARA rules covering the most common post-exploitation implant observed in May 2026 victim telemetry, including indicators for an in-memory webshell that survives across reboots through abuse of /opt/pancfg/mgmt/saved-configs/.

How Safeguard Helps

Safeguard ingests PAN-OS XML API output from every firewall registered through the SCM/network-asset integration, parsing the version, feature configuration, and interface bindings into a normalized SBOM. The default policy gate fails any change-management ticket promoting a PAN-OS image below the fixed-build table, and a built-in compliance check verifies that Captive Portal is either disabled or running on a patched build for every internet-exposed firewall. Griffin AI scores firewalls by Captive Portal exposure (internet, partner-VPN, internal-only) and by management-interface accessibility, surfacing the highest-blast-radius devices first. VEX statements from Palo Alto PSIRT are auto-ingested for Panorama and Prisma Access (which are not affected), suppressing dashboard noise. The ServiceNow integration files a single change ticket per HA pair with the fixed build hash pinned in the body, the CISA ED-26-02 deadline copied into the SLA field, and the credential-reset checklist attached as evidence — turning a multi-team emergency into a tracked, auditable workflow.

cvepatch-managementpalo-altopan-oscisa-kevfirewall
Back to all articles

More on #cve

View all →
Agent Security

CrewAI Sandbox Escape: Four CVEs That Chain Through Prompt Injection

6 min read
Technical

Reachability Analysis: Cutting Through CVE Noise to Find What Actually Matters

8 min read
Vulnerability Response

CVE-2025-53521 in F5 BIG-IP APM: Patch Posture & SBOM Response

7 min read
Vulnerability Analysis

CVE-2024-4367 PDF.js Arbitrary Code Execution

8 min read

Related articles in Vulnerability Response

Vulnerability Response

CVE-2025-53521 in F5 BIG-IP APM: Patch Posture & SBOM Response

F5 BIG-IP APM bug reclassified from DoS to RCE at CVSS 9.8 and landed on CISA KEV. Defender playbook for the late-cycle severity surprise.

March 29, 2026Read
Vulnerability Response

CVE-2025-15467 in OpenSSL CMS: Patch Posture & SBOM Response

OpenSSL CMS pre-auth stack buffer overflow scored CVSS 9.8. Mail servers, web servers, and anything that processes S/MIME need the fix. Defender playbook below.

January 28, 2026Read
Vulnerability Response

CVE-2025-31133 in runc: Patch Posture & SBOM Response

runc container-escape via /proc mount manipulation affects Docker, Kubernetes, and every CRI runtime. Defender playbook below.

November 19, 2025Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.