Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: Critical Remote Code Execution vulnerability in Palo Alto PAN-OS User-ID Authentication Portal, Apply patches as soon as available!
Image
Veröffentlicht : 11/05/2026
- Last update: 11/05/2026
- Affected software: Palo Alto PAN-OS User-ID Authentication Portal
- Type: Remote Code Execution (RCE)
- CVE/CVSS: CVE-2026-0300: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
- Vendor advisory: https://security.paloaltonetworks.com/CVE-2026-0300
- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0300
Risks
The Palo Alto Networks User-ID Authentication Portal, commonly called the Captive Portal, is a non-default feature in PAN-OS that identifies users on a network by forcing them to authenticate through a web page before they can access protected resources or the internet. It is part of the broader User-ID framework, which maps IP addresses to usernames so firewall policies can be based on who the user is instead of only IP addresses.
CVE-2026-0300, a buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software, allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
If successfully exploited attackers gain full control over the firewall, enabling them to bypass security policies, intercept or manipulate traffic, and compromise the entire network. This has a high impact on confidentiality, integrity and availability.
The vendor has confirmed that this vulnerability is being actively exploited in the wild.
Description
A critical security vulnerability, CVE-2026-0300, has been identified in Palo Alto Networks PAN-OS and affects the User-ID Authentication Portal service on PA-Series and VM-Series firewalls. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.
This issue is applicable only to PA-Series and VM-Series firewalls that are configured to use User-ID Authentication Portal. This feature is not enabled by default. Customers are impacted if both of the following conditions are true:
- User-ID Authentication Portal configured in the User-ID Authentication Portal Settings page.
- An interface management profile with response page enabled and attached to any L3 interface in any zone where untrusted/internet traffic can ingress.
The risk of this issue is greatly reduced if you secure access to the User-ID Authentication Portal per the best practice guidelines by restricting access to only trusted internal IP addresses.
Successful exploitation results in root access on the underlying OS of the firewall. Root access means the attacker has unrestricted privileges on the firewall. They can modify system files, install malware, or change firewall configurations.
Limited exploitation has been observed targeting Palo Alto Networks User-ID Authentication Portals that are exposed to untrusted IP addresses and/or the public internet. Post-exploitation activity includes deployment of publicly available tunneling tools (EarthWorm, ReverseSocks5), Active Directory enumeration using credentials likely obtained from the firewall, and the systematic destruction of logs and other evidence of compromise.
Recommended Actions
Mitigate
Pending vendor patches, the Centre for Cybersecurity Belgium strongly recommends securing access to your User-ID Authentication Portal by implementing the instructions in the workarounds section of the vendor advisory.
Patch
The Centre for Cybersecurity Belgium strongly recommends to prioritize patching for vulnerable devices with the highest priority after thorough testing once patches become available. Patches are currently planned for release on May 13 and May 28. Based on your risk profile, the Centre for Cybersecurity Belgium recommends considering a switch to a different release train that receives patches earlier.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.