{
  "title": "PAN-OS CVE-2026-0300: Captive Portal Remote Root RCE",
  "summary": "CISA added PAN-OS CVE-2026-0300 to KEV on 2026-05-06. The vulnerability involves an out-of-bounds write in the User-ID Authentication Portal (Captive Portal) affecting PA-Series and VM-Series firewalls, leading to unauthenticated remote root code execution; this article provides config audits and post-compromise triage scripts.",
  "date": "2026-05-26",
  "severity": "critical",
  "tags": [
    "palo-alto-networks",
    "pan-os",
    "cisa-kev",
    "zero-day",
    "remote-code-execution",
    "buffer-overflow"
  ],
  "sources_count": 3,
  "indicators": {
    "slug": "pan-os-cve-2026-0300-captive-portal-rce",
    "since": "2026-05-26T00:00:00Z",
    "until": "2026-05-26T23:59:59Z",
    "ecosystem": "",
    "cves": [
      "CVE-2026-0300"
    ],
    "cwes": [
      "CWE-787",
      "CWE-121"
    ],
    "advisoryIds": [
      "PAN-SA-2026-0300"
    ],
    "products": [
      "PAN-OS",
      "PA-Series Firewalls",
      "VM-Series Firewalls"
    ],
    "packages": [],
    "versions": [],
    "affectedVersions": [
      "PAN-OS < 10.2.11",
      "11.0.0 <= PAN-OS < 11.0.5",
      "11.1.0 <= PAN-OS < 11.1.3"
    ],
    "fixedVersions": [
      "10.2.11",
      "11.0.5",
      "11.1.3"
    ],
    "files": [],
    "paths": [],
    "services": [],
    "domains": [],
    "urls": [],
    "ips": [],
    "hashes": [],
    "processPatterns": [],
    "networkPatterns": [],
    "telemetrySelectors": [
      "ew",
      "ReverseSocks5",
      "captive-portal",
      "auth-portal",
      "cldflt.sys"
    ]
  }
}