Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
Unit 42 describes CVE-2026-0300, a buffer overflow in PAN-OS User-ID Authentication Portal (Captive Portal) that lets an unauthenticated attacker send crafted network traffic and achieve arbitrary code execution as root on PA-Series and VM-Series firewalls. In observed intrusions, the attacker exploited the bug to inject shellcode into an nginx worker process, then removed crash logs, kernel messages, core dumps, ptrace audit evidence, and a SUID privilege-escalation binary to hinder forensics. Post-compromise activity included using firewall service account credentials for Active Directory enumeration against domain root and DomainDnsZones, plus deployment of EarthWorm and ReverseSocks5 to establish SOCKS/pivot tunnels after failover to a second active device via a SAML flood. The write-up is notable because it ties an internet-exposed edge-device zero-day to likely state-sponsored exploitation and gives concrete defensive guidance: restrict Captive Portal to trusted zones, disable Response Pages on untrusted ingress interfaces, or disable the portal entirely, with Threat ID 510019 available for customers running supported PAN-OS/ATP content versions.