Unpatched PAN-OS Captive Portal Bug Hits CVSS 9.3, Exploited in the Wild

Palo Alto Networks disclosed CVE-2026-0300, a buffer overflow in the PAN-OS User-ID Authentication Portal (Captive Portal) that lets an unauthenticated attacker execute code as root on PA-Series and VM-Series firewalls by sending crafted packets. The flaw scores 9.3 when the portal is exposed to the internet and 8.7 when restricted to trusted internal IPs. Limited in-the-wild exploitation has been observed, all targeting publicly reachable portals.

No fix is available yet — patches across PAN-OS 10.2, 11.1, 11.2, and 12.1 trains are scheduled to begin shipping May 13, 2026. Until then, the only mitigations are operational: confine the portal to trusted zones or disable it outright if the feature isn’t in use. Deployments that already followed the long-standing guidance against exposing management-adjacent portals are largely insulated.

The pattern is familiar for edge security gear — a high-privilege, network-reachable component becomes a pre-auth RCE primitive, and attackers move on it before vendors ship a patch. Operators should treat any internet-facing Captive Portal as a near-term incident response priority, not a maintenance-window item.