PAN-OS Captive Portal zero-day enables remote code execution on exposed firewalls
Palo Alto Networks warned of a critical, unpatched vulnerability in the PAN-OS User-ID Authentication Portal (Captive Portal), CVE-2026-0300, that can be triggered by crafted packets to allow unauthenticated remote code execution with root privileges on internet-exposed PA-Series and VM-Series firewalls; exploitation has been observed as limited but ongoing, with Shadowserver counting thousands of exposed VM-series endpoints. Until a patch is released (updates expected May 13, 2026), admins are advised to restrict portal access to trusted networks or disable it, noting the issue does not affect Cloud NGFW or Panorama.
