CVE-2026-0300 — Palo Alto PAN-OS Captive Portal unauthenticated root RCE; CL-STA-1132 active since 2026-04-09; no patch until 2026-05-13

If you did nothing this week: any PA-Series or VM-Series firewall with the User-ID Authentication Portal enabled and internet-reachable has been within the attack window since 2026-04-09 — three weeks before public disclosure (2026-05-06) and four-and-a-half weeks before the first staged patch becomes available (2026-05-13). The daily 2026-05-09 UPDATE recorded an observed dwell time of approximately 20 days from initial compromise to second-device exploitation on at least one tracked victim; the relevant retrospective-log question is whether your firewall has been compromised since mid-April, not whether it might be compromised next week.

CVE-2026-0300 (CVSS 9.3, CWE-121 stack-based buffer overflow) is an unauthenticated remote code execution in the PAN-OS User-ID Authentication Portal — a network-accessible service that a single crafted packet exploits to root on the firewall's management plane (Palo Alto Networks Security Advisory, 2026-05-06 · Unit 42 primary research, 2026-05-06). CERT-EU issued a Critical Advisory (rare designation) on disclosure day (CERT-EU 2026-006, 2026-05-06); CERT-FR followed with CERTFR-2026-AVI-0537 (CERT-FR, 2026-05-06). Unit 42 tracks the active exploitation cluster as CL-STA-1132 and characterises it as likely state-sponsored activity. Unit 42's primary research records shellcode injection into nginx worker processes, EarthWorm / ReverseSocks5 tunnelling, and Python implants under /var/tmp/linuxupdate and /tmp/.c; the daily 2026-05-09 UPDATE additionally surfaces a rogue admin name pattern svc-health-check-[6-digit-numeric] (bypassing normal admin-role RBAC), running-configuration export including pre-shared keys, and OSPF-based internal AD enumeration — a profile consistent with T1190 Exploit Public-Facing Application, T1055 Process Injection, T1003 OS Credential Dumping, and T1572 Protocol Tunneling. Patch availability is staged 2026-05-13 → 2026-05-28 across PAN-OS branches 10.2.x / 11.1.x / 11.2.x / 12.1.x; Cloud NGFW and Prisma Access are not affected. Until patches land, the operational expectations are (1) disable the Authentication Portal entirely where it is not required, (2) restrict it to trusted internal IP ranges via security policy where it is, (3) PAN-OS 11.1+ users should confirm Threat ID 510019 is in blocking mode, and (4) review authentication-portal logs and admin-account listings from 2026-04-09 onward for retrospective compromise evidence (daily 2026-05-07 deep dive; daily 2026-05-09 update).