HP Halting Problems Security research, supply chain threats, and systems risk.
♥ Help support the site
btc
bc1q3909urygy90qhytu32344ws0t5vy085y0h7xc8
eth
0x71faaDcAF2538e7346885F772FBAcb88740059A8
xmr
49PeCUfdgmG1ZMAzUxz2WFWiRDbDrycrJ8qYVfxBq6HWCHjk7uncaoESm7CRF5DtxcFgStuvyvcfUD3p4xU33F8dPep53MP
critical Threat analysis

PAN-OS CVE-2026-0300: Captive Portal Remote Root RCE

CISA added PAN-OS CVE-2026-0300 to KEV on 2026-05-06. The vulnerability involves an out-of-bounds write in the User-ID Authentication Portal (Captive Portal) affecting PA-Series and VM-Series firewalls, leading to unauthenticated remote root code execution; this article provides config audits and post-compromise triage scripts.

Published
Read time
7 min read
Sources
3
#palo-alto-networks#pan-os#cisa-kev#zero-day#remote-code-execution#buffer-overflow
On this page 0% read

    Executive Summary

    CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities (KEV) Catalog on 2026-05-06 CISA KEV. The vulnerability involves a critical out-of-bounds write (buffer overflow) in the User-ID Authentication Portal (commonly referred to as the Captive Portal) of Palo Alto Networks’ PAN-OS software Palo Alto Networks.

    Active exploitation has been confirmed in the wild by sophisticated state-sponsored threat group CL-STA-1132. The attackers leverage crafted network packets sent directly to the Captive Portal settings interface, triggering remote code execution (RCE) with root privileges. This article outlines configuration audits, impact determinations, and high-fidelity hunting scripts for compromised endpoints.

    Key Facts

    cve: "CVE-2026-0300"
vendor: "Palo Alto Networks"
product: "PAN-OS"
kev_added: "2026-05-06"
kev_due: "2026-05-27"
kev_catalog_version: "2026.05.06"
vulnerability: "Out-of-bounds write in PAN-OS User-ID Authentication Portal"
cwe: ["CWE-787", "CWE-121"]
affected_products: ["PA-Series Firewalls", "VM-Series Firewalls"]
unaffected_products: ["Prisma Access", "Cloud NGFW", "Panorama"]
affected_versions:
  - "PAN-OS < 10.2.11"
  - "11.0.0 <= PAN-OS < 11.0.5"
  - "11.1.0 <= PAN-OS < 11.1.3"
fixed_versions: ["10.2.11", "11.0.5", "11.1.3"]
nvd_cvss_v31: "9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
exploitation_status: "cisa_kev_exploited"
zero_day_status: "confirmed_zero_day_exploitation"

    Source Confidence & Evidence Mapping

    • confirmed: CISA KEV lists CVE-2026-0300 as an actively exploited vulnerability with a federal remediation mandate CISA KEV.
    • confirmed: Palo Alto Networks Security Advisory (PAN-SA-2026-0300) details the affected PAN-OS versions, root-cause Captive Portal service, and recommended vendor patches Palo Alto Networks.
    • confirmed: Unit 42 Threat Intelligence publishes active indicators for threat actor group CL-STA-1132, detailing post-compromise deployment of EarthWorm (ew) and ReverseSocks5 tunneling utilities Palo Alto Networks.
    • confirmed: Rapid7 Analysis verifies pre-authenticated remote root execution via Captive Portal HTTP boundary overflows Rapid7.

    Impact Determination

    ClassificationCriteriaRequired evidenceRemediation triggerClosure condition
    Confirmed compromiseSystem logs or network telemetry show successful exploitation indicators, followed by the execution of unauthorized binaries (e.g. ew, ReverseSocks5) or log cleanup activities.Timestamped process trees spawning unexpected shell tools or network connections from the User-ID portal process.Isolate the firewall interface, revoke Active Directory credentials shared with the firewall, and capture memory dumps.Apply the PAN-OS vendor security patch and complete a forensic audit confirming no active lateral movement.
    Presumed exposedThe User-ID Authentication Portal (Captive Portal) is enabled on a vulnerable PAN-OS version and is reachable from untrusted zones.Configuration settings (captive-portal enabled) in the PAN-OS XML config, and zone policy mapping showing public ingress.Restrict public ingress immediately; disable the portal if unused.Upgrade PAN-OS to a fixed release (10.2.11, 11.0.5, 11.1.3 or later).
    Potentially exposedA firewall is running a vulnerable PAN-OS version, but status of the User-ID portal and network ingress policies is unknown.Version scan or CMDB entry identifying PAN-OS version < 11.1.3 without configuration verification.Run configuration audit script to confirm Captive Portal settings.Determine if the system is presumed exposed, confirmed compromised, or not exposed.
    Not exposedThe User-ID Captive Portal is completely disabled, or the firewall runs a patched PAN-OS version.Negative configuration matches for Captive Portal activation, or verified upgraded software version.None for this CVE.Version and configuration verification bundle is archived.
    UnknownFirewall configuration or version data cannot be retrieved.Lack of API access, configuration backups, or administrative access logs.Establish offline configuration inspection.Recover required configuration evidence.

    Timeline

    • 2026-04-09: Initial exploitation attempts in the wild observed by Palo Alto Networks Unit 42 Palo Alto Networks.
    • 2026-04-18: Successful remote code execution achieved by threat actor group CL-STA-1132 on early-adopter corporate firewalls Palo Alto Networks.
    • 2026-05-06: CISA adds CVE-2026-0300 to the Known Exploited Vulnerabilities catalog CISA KEV.
    • 2026-05-13: Palo Alto Networks begins rolling out PAN-OS security patches Palo Alto Networks.

    What Happened

    Sophisticated attackers targeted the pre-authenticated Captive Portal boundary. By sending large, malformed HTTP requests containing out-of-bounds payloads, they corrupted the stack frame of the User-ID portal authentication daemon, achieving immediate root execution. Upon compromise, threat group CL-STA-1132 deployed lightweight, reverse SOCKS5 tunneling agents (ew and ReverseSocks5) to establish persistent ingress channels, bypassing traditional network logging mechanisms to pivot to internal Active Directory controllers.

    Technical Analysis

    The primary failure point resides in the handling of HTTP POST fields inside the Captive Portal daemon. Out-of-bounds writes directly overwrite the saved frame pointer during pre-authentication parsing. Organizations exposing this portal publicly were compromised within minutes of active scanning.

    Affected Assets and Blast Radius

    asset_selectors:
  - "pan-os"
  - "Palo Alto Networks Firewall"
  - "User-ID Authentication Portal"
  - "Captive Portal"
highest_value_assets:
  - "Internet-facing PA-Series firewalls with Captive Portal enabled"
  - "Active Directory domain controllers accessible from the firewall zone"
  - "Firewall administrative API and credentials"
credentials_and_data_at_risk:
  - "Active Directory service account credentials used for User-ID mapping"
  - "PAN-OS administrative API keys and session tokens"
  - "Internal network routing and topology data"

    Indicators And Detection Selectors

    cves: ["CVE-2026-0300"]
advisory_ids: ["PAN-SA-2026-0300"]
actor_attributes:
  - "CL-STA-1132"
  - "UNC6780"
telemetry_selectors:
  - "ew"
  - "ReverseSocks5"
  - "captive-portal"
  - "auth-portal"
  - "cldflt.sys"

    Detection and Hunting

    This hunting script audits backup configuration files (in XML format) and web/system log exports to identify exposed Captive Portals and post-compromise indicator matches:

    #!/usr/bin/env python3
import json
import os
import re
import sys
from pathlib import Path
import xml.etree.ElementTree as ET

ROOT = Path(os.environ.get("ROOT", sys.argv[1] if len(sys.argv) > 1 else ".")).resolve()
TELEMETRY_DIR = Path(os.environ.get("TELEMETRY_DIR", "telemetry-export")).resolve()
OUT = Path(os.environ.get("OUT", "hp-panos-cve-2026-0300-scope")).resolve()

CVE = "CVE-2026-0300"
ADVISORY = "PAN-SA-2026-0300"
FIXED_VERSIONS = ["10.2.11", "11.0.5", "11.1.3"]

def read_text(path):
    try:
        return path.read_text(encoding="utf-8", errors="ignore")
    except Exception:
        return ""

def is_vulnerable_version(ver_str):
    # Standardize version string
    ver = re.findall(r"\d+", ver_str)
    if not ver:
        return False
    # Convert list of string numbers to tuple of ints
    v_ints = tuple(int(x) for x in ver[:3])
    
    # Check affected ranges:
    # < 10.2.11
    if v_ints < (10, 2, 11):
        return True
    # 11.0.0 <= ver < 11.0.5
    if (11, 0, 0) <= v_ints < (11, 0, 5):
        return True
    # 11.1.0 <= ver < 11.1.3
    if (11, 1, 0) <= v_ints < (11, 1, 3):
        return True
    return False

OUT.mkdir(parents=True, exist_ok=True)
findings = {
    "exposed_configurations": [],
    "compromise_indicators": []
}

# 1. Audit PAN-OS XML Configurations
for xml_file in ROOT.rglob("*.xml"):
    content = read_text(xml_file)
    if "pan-os" in content or "devices" in content:
        try:
            root_el = ET.fromstring(content)
            # Find Captive Portal setting
            cp_elements = root_el.findall(".//captive-portal/enabled")
            cp_enabled = any(el.text == "yes" for el in cp_elements)
            
            # Find Software Version
            version_el = root_el.find(".//sw-version")
            version_str = version_el.text if version_el is not None else "unknown"
            
            if cp_enabled or is_vulnerable_version(version_str):
                findings["exposed_configurations"].append({
                    "file": str(xml_file),
                    "sw_version": version_str,
                    "vulnerable_version": is_vulnerable_version(version_str) if version_str != "unknown" else "unclear",
                    "captive_portal_enabled": cp_enabled,
                    "action_required": "Upgrade and isolate Captive Portal interface" if cp_enabled else "Upgrade recommended"
                })
        except Exception:
            # Fallback to string matching if XML is a partial snippet
            if "captive-portal" in content and "enabled" in content and "yes" in content:
                findings["exposed_configurations"].append({
                    "file": str(xml_file),
                    "sw_version": "snippet-extracted",
                    "captive_portal_enabled": True,
                    "action_required": "Verify portal ingress zones and restrict access"
                })

# 2. Audit Telemetry & Logs for Post-Compromise Tools (EarthWorm & ReverseSocks5)
# Indicators: process names 'ew', 'ReverseSocks5', or commands with tunneling arguments
for path in ROOT.rglob("*"):
    if not path.is_file() or any(part in {".git", "node_modules", "vendor"} for part in path.parts):
        continue
    
    # Process process execution logs, command history, and proxy traces
    if path.suffix in {".log", ".txt", ".json", ".audit"}:
        body = read_text(path)
        # Search for EarthWorm execution signatures (e.g. ew_linux, ew_rax, ew -s)
        ew_match = re.search(r"\bew(?:_linux|_x64)?\b\s+-s\s+", body, re.IGNORECASE)
        # Search for ReverseSocks5 execution signatures
        socks_match = re.search(r"\bReverseSocks5\b", body, re.IGNORECASE)
        # Search for User-ID daemon crash/stack dump signatures
        crash_match = re.search(r"captive-portal.*sigsegv|authd.*segfault", body, re.IGNORECASE)
        
        if ew_match or socks_match or crash_match:
            findings["compromise_indicators"].append({
                "file": str(path),
                "indicators_found": [
                    "EarthWorm tunnel command" if ew_match else None,
                    "ReverseSocks5 agent" if socks_match else None,
                    "Captive Portal daemon crash" if crash_match else None
                ],
                "matched_text": (ew_match.group(0) if ew_match else "") + (socks_match.group(0) if socks_match else "")
            })

findings["compromise_indicators"] = [x for x in findings["compromise_indicators"] if any(x["indicators_found"])]

with open(OUT / "findings.json", "w") as f:
    json.dump(findings, f, indent=2)

print(f"[{CVE} Audit Complete] Findings saved to: {OUT / 'findings.json'}")

    Remediation & Credential Rotation Plan

    Containment

    1. Restrict Access: If the User-ID Captive Portal is enabled, restrict access to authorized internal IP addresses immediately. Avoid exposing it to untrusted zones or the public internet.
    2. Disable Settings: If the Authentication Portal is not actively required, disable it inside the interface:
      • Navigate to Device > User Identification > Authentication Portal Settings and disable the portal.

    Eradication & Recovery

    1. Apply Security Patches: Upgrade affected PA-Series or VM-Series firewalls to fixed PAN-OS releases:
      • 10.2.11 (for 10.2.x range)
      • 11.0.5 (for 11.0.x range)
      • 11.1.3 (for 11.1.x range)
    2. Credential Rotation: Since threat group CL-STA-1132 targets Active Directory service accounts mapped to the User-ID agent, rotate the credentials for all Active Directory service accounts associated with User-ID synchronization immediately.
    3. Revoke Session Tokens: Revoke all active administrative API keys, admin CLI sessions, and portal cookies on the firewall.

    Sources

    1. CISA KEV Feed (Known Exploited Vulnerabilities Catalog)
    2. Palo Alto Networks Security Advisory PAN-SA-2026-0300
    3. Rapid7 Threat Intelligence Report: PAN-OS CVE-2026-0300 Captive Portal Exploitation