Security Advisory 2026-006

What Happened

A critical security flaw has been discovered in Palo Alto Networks firewalls that use the User-ID Authentication Portal. This vulnerability allows attackers to take full control of the firewall without needing a username or password. Because the manufacturer has already seen attackers using this flaw, it is a severe risk to network security. While official software updates are not yet available, organizations should immediately restrict or disable the affected portal to protect their networks.

Key Takeaways

• A critical buffer overflow vulnerability (CVE-2026-0300) exists in the PAN-OS User-ID Authentication Portal.
• Unauthenticated attackers can exploit this flaw to execute arbitrary code with root privileges.
• Limited in-the-wild exploitation has been observed by Palo Alto Networks.
• Patches are currently unavailable; administrators must apply mitigations immediately.

Affected Systems

• Palo Alto PA-Series firewalls configured with User-ID Authentication Portal
• Palo Alto VM-Series firewalls configured with User-ID Authentication Portal
• PAN-OS versions prior to 12.1.4-h5, 12.1.7, 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, 11.2.12, 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15, 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6

Vulnerabilities (CVEs)

• CVE-2026-0300

Attack Chain

An unauthenticated remote attacker targets the User-ID Authentication Portal (Captive Portal) service on a vulnerable Palo Alto PA-Series or VM-Series firewall. By sending specially crafted packets over the network, the attacker triggers a buffer overflow condition. This exploitation results in the execution of arbitrary code with root privileges directly on the firewall appliance.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: None — EDR agents cannot typically be installed on proprietary network appliances like Palo Alto firewalls. Network Visibility: High — The exploit relies on specially crafted packets sent over the network to the Captive Portal, which could be detected by upstream IDS/IPS if signatures are developed. Detection Difficulty: Hard — Without specific payload details or packet signatures provided in the advisory, generically detecting the buffer overflow attempt on the portal is difficult.

Required Log Sources

• Firewall System Logs
• Network Flow Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for anomalous crashes, restarts, or error logs associated with the User-ID Authentication Portal service, which may indicate failed buffer overflow exploitation attempts.	Firewall System Logs	Execution	Low
Monitor for unexpected outbound network connections originating directly from the firewall's management or data plane interfaces to unknown external IP addresses.	Network Flow Logs	Command and Control	Medium

Control Gaps

• Lack of endpoint telemetry (EDR) on network appliances
• Delayed patch availability from the vendor

Key Behavioral Indicators

• Service crashes related to the Captive Portal
• Unexpected root-level processes spawning on the firewall appliance

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Restrict User-ID Authentication Portal access to only trusted zones.
• Disable the User-ID Authentication Portal entirely if it is not required.

Infrastructure Hardening

• Ensure management interfaces and authentication portals are not exposed to the public internet.

User Protection

• N/A

Security Awareness

• Monitor vendor channels closely for the release of official patches for CVE-2026-0300 and apply them immediately upon availability.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1068 - Exploitation for Privilege Escalation