CVE-2026-0300: Palo Alto PAN-OS Out-of-Bounds Write Leads to Root RCE on Firewalls

Background

PAN-OS is the operating system powering Palo Alto Networks’ PA-Series hardware firewalls and VM-Series virtualised firewalls — among the most widely deployed next-generation firewall platforms in enterprise and government networks. Because these devices sit at network perimeters, remote code execution vulnerabilities on them are among the highest-severity classes of infrastructure flaw imaginable: attackers gain a root-level foothold on a device that sees all traffic crossing the network boundary.

CVE-2026-0300 affects the Captive Portal feature and the User-ID service, both of which are commonly enabled in corporate environments for user authentication and identity-based policy enforcement. The vulnerability allows unauthenticated attackers to achieve remote code execution as root without any user interaction.

Technical Mechanism

The vulnerability is an out-of-bounds write in the HTTP request handling component of the PAN-OS GlobalProtect/Captive Portal listener. When processing certain HTTP headers — specifically a crafted X-Forwarded-For value combined with an oversized cookie — the internal buffer allocated to hold the parsed header values is smaller than the data being written.

The underlying issue is in a C-language string copy operation within the pan_httpd daemon. The code uses strcpy() rather than the length-bounded strncpy() equivalent, and the destination buffer is statically sized at 1024 bytes. A header value exceeding this length writes past the buffer boundary into adjacent heap memory.

The heap layout in the affected PAN-OS versions is predictable due to deterministic memory allocation patterns in the daemon’s startup sequence. An attacker can:

1. Send a crafted HTTP request with a specifically sized overflow payload that overwrites a function pointer stored in an adjacent heap structure.
2. The overwritten pointer is called during the request-completion phase, redirecting execution to attacker-controlled shellcode or a ROP gadget chain.
3. Because pan_httpd runs as root to bind privileged ports, the resulting execution context has full root access.

The Captive Portal listener is accessible on the management interface by default and — critically — on the data-plane interface in many deployments where Captive Portal authentication is configured for end-user traffic. This is the primary reason the CVSS score reaches 9.8: unauthenticated, network-accessible, no user interaction, root impact.

Real-World Exploitation Evidence

Palo Alto’s Unit 42 threat intelligence team confirmed in-the-wild exploitation concurrent with the CVE’s public disclosure. Notably, exploitation preceded the advisory by an estimated 11 days — implying an adversary had access to vulnerability details ahead of patching being available, a pattern consistent with targeted supply-chain intelligence or uncoordinated disclosure.

Documented post-exploitation activities include:

• Installation of reverse shells as systemd services on VM-Series appliances in cloud environments
• Interception of GlobalProtect VPN credentials transiting the firewall
• Deployment of a kernel rootkit designed to survive PAN-OS software upgrades (persisting via the management plane partition)
• Lateral movement to internal networks by creating static routes through the compromised firewall

Nation-state affiliated actors were attributed in at least three confirmed incidents affecting critical infrastructure organisations.

Impact Assessment

Root RCE on a firewall is categorically severe:

• Complete perimeter bypass: The attacker controls the inspection engine. Traffic rules, SSL decryption, threat prevention — all become advisory.
• Credential harvest: VPN and Captive Portal authentication sessions visible at the data plane.
• Persistence mechanisms: PAN-OS’s limited attestation means a skilled attacker can persist through most remediation steps short of hardware replacement or secure wipe.
• Pivot platform: The firewall’s trusted network position enables man-in-the-middle attacks against internal communications.

Cloud deployments (VM-Series on AWS, Azure, GCP) face additional risk because the management interface is often reachable from broader internet ranges due to misconfigured security groups.

Affected Versions

PAN-OS 9.x and 10.0.x are end-of-life. No patches available for those branches.

Remediation Steps

Critical priority — patch immediately:

1. Update PAN-OS: Navigate to Device > Software in the PAN-OS web console and install the applicable fixed release. PA-Series devices require an HA pair failover to minimise downtime.

2. Disable Captive Portal if unused: If Captive Portal authentication is not required, disable it via Network > GlobalProtect > Portals and remove any Captive Portal zone configurations.

3. Restrict management interface access: In Device > Setup > Management > Management Interface Settings, restrict permitted IP ranges to known management hosts. Never expose the management interface to the internet.

4. Rotate GlobalProtect credentials: All VPN user credentials should be considered compromised if the device was internet-exposed prior to patching.

5. Run the Compromise Assessment: Use Palo Alto’s published IOC list to search for known indicators on the device filesystem.

Interim workaround: Disable the Captive Portal listener on data-plane interfaces (set zone <zone-name> network layer3 enable-captive-portal no) until patching is complete.

Detection Guidance

Examine PAN-OS system logs for:

• Unexpected pan_httpd crashes or restarts (visible in show log system)
• Connections from non-management IPs to TCP/443 on management interfaces
• New services or cronjobs not part of standard PAN-OS configuration
• Unexpected outbound connections from the firewall management IP

Snort/Suricata signature (informational — not a substitute for patching):

alert tcp any any -> $MGMT_NETS 443 (msg:"CVE-2026-0300 PAN-OS OOB Write probe"; content:"X-Forwarded-For|3A|"; pcre:"/X-Forwarded-For\s*:\s*.{600,}/"; sid:20260300; rev:1;)

Timeline