Palo Alto PAN-OS Captive Portal — unauthenticated root RCE (CVSS 9.3, ITW, KEV deadline 2026-05-09)

UPDATE (originally covered 2026-05-07 deep dive): The Palo Alto Networks PSIRT advisory for CVE-2026-0300 was revised on 2026-05-16 to update the per-build fix-release schedule: PAN-OS 10.2.13-h21 was retimed on 2026-05-16, 10.2.16-h7 on 2026-05-14. Both are commonly deployed LTS branches in large enterprise and government estates; PA-Series and VM-Series devices on those two specific builds remain mitigation-only.

The wave-2 patch target for the remaining outstanding builds remains 2026-05-28. No new exploitation evidence accompanied the revision; the actively-exploited posture (unauthenticated heap overflow in the User-ID Authentication Portal / Captive Portal service, CVSS 9.3, pre-auth root RCE) reported in prior briefs continues. Defender action: verify each PA / VM appliance's installed PAN-OS build against the advisory's per-version patch matrix; if the installed build is 10.2.13-h21 or 10.2.16-h7, confirm the Captive Portal / User-ID Authentication Portal mitigation (disable the feature if unused, or apply the published Threat Prevention rule) remains active until the wave-2 fix lands.

If you did nothing this week: any PA-Series or VM-Series firewall running PAN-OS 12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21, or 10.2.16-h7 with User-ID Authentication Portal / Captive Portal exposed to untrusted IPs has been within CL-STA-1132's exploitation window since 2026-04-09 (W19 baseline) and will remain so until 2026-05-28 — eleven calendar days past today. The Palo Alto PSIRT advisory was updated 2026-05-16 confirming the staggered two-wave schedule (wave 1 landed 2026-05-13 for 11.2.7-h13 / 11.2.10-h6 / 11.1.4-h33 / 11.1.6-h32 / 11.1.10-h25 / 11.1.13-h5 / 10.2.10-h36 / 10.2.18-h6; wave 2 covers the remaining branches on 2026-05-28). Limited ITW exploitation continues (Palo Alto PSIRT CVE-2026-0300; daily 2026-05-14 UPDATE; daily 2026-05-13 UPDATE).

The interim mitigation remains the only available control for wave-2 build-streams: restrict User-ID Authentication Portal to trusted zones, disable Response Pages on external-facing L3 interface management profiles, and (for Threat Prevention subscribers on PAN-OS ≥ 11.1 with content version ≥ 9097-10022) enable Threat ID 510019. The retrospective-hunt artefact set documented in W19 — svc-health-check-NNNNNN rogue-admin accounts, Python implants under /var/tmp/linuxupdate, /var/tmp/linuxap, and /tmp/.c — remains the right starting point for organisations exposed during the four-and-a-half-week pre-patch window between 2026-04-09 and their eventual upgrade date.

UPDATE (originally covered 2026-05-07 deep dive, last updated 2026-05-13): Palo Alto Networks PSIRT updated its CVE-2026-0300 advisory on 2026-05-13 to reflect first-wave patch availability but to also disclose a second patch wave with an ETA of 2026-05-28 for eight commonly-deployed build streams: PAN-OS 12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21 and 10.2.16-h7 (Palo Alto Networks PSIRT, updated 2026-05-13). Operators running any of those builds cannot patch yet; the interim mitigation — restrict User-ID Authentication Portal to trusted zones, or disable Captive Portal if unused — is the only option until 28 May. CL-STA-1132 in-the-wild exploitation continues; the cluster's tradecraft (EarthWorm / ReverseSocks5 tunnels, AD enumeration via firewall service account, deliberate log destruction) is unchanged from prior coverage (Unit 42 — Captive Portal Zero-Day, 2026-05-06).

The CISA KEV entry was updated on 2026-05-13 to note "Palo Alto has released a variety of patches"; the FCEB remediation deadline (2026-05-09) has already expired. Per PD-13 the KEV deadline is not the operational driver in CH/EU — the active-exploitation status, the affected-build delay, and the CL-STA-1132 attribution are. The wave-2 delay specifics are documented in the vendor PSIRT advisory and were not independently corroborated by HIGH-reliability third-party reporting in window; treat the eight-build "ETA 05/28" list as vendor-primary and verify against the live PSIRT entry before any rollout planning.

UPDATE (originally covered 2026-05-12): Palo Alto Networks released the first wave of patched PAN-OS builds on 2026-05-13 for the actively-exploited Captive Portal pre-auth RCE, covering PAN-OS 10.2, 11.1, 11.2 and 12.1 (Palo Alto Networks PSIRT, last updated 2026-05-07; patch table confirmed 2026-05-13). Concretely: PAN-OS 12.1.4-h5 (2026-05-13) plus 12.1.7 (planned 2026-05-28); PAN-OS 11.2 multiple builds staged 2026-05-13–2026-05-28; PAN-OS 11.1 and 10.2 on a similar cadence. Prisma Access, Cloud NGFW and Panorama remain unaffected. Threat Prevention signature ID 510019 remains the interim control for any unpatched instance. The CISA KEV deadline of 2026-05-09 is — per the audience-applicability rule in the daily prompt — irrelevant for CH/EU jurisdiction; the operational driver is the active exploitation by CL-STA-1132 documented previously.

UPDATE (originally covered as the 2026-05-07 deep dive; updates 2026-05-08 → 2026-05-10): Palo Alto Networks' PSIRT page for CVE-2026-0300 (last updated 2026-05-07 at time of run) now lists first-wave fixed builds with an ETA of 2026-05-13 for several mainline branches and a second wave around 2026-05-28 for the remaining branches; no patched build is yet shipped against the unauthenticated root RCE in the User-ID Authentication Portal / Captive Portal service. The CL-STA-1132 cluster attribution and the ~2026-04-09 first-observed-exploitation date come from Unit 42's separate Captive Portal Zero-Day threat bulletin, not from the PSIRT advisory itself.

Operationally: until the 05/13 first-wave builds ship, the interim Threat Prevention signature 510019 plus source-IP restriction of the captive-portal interface to trusted internal ranges remain the only defender controls for branches that do not yet have a fixed build. PA-Series and VM-Series operators with User-ID Authentication Portal or Captive Portal exposed should treat tomorrow as a pre-staged deployment window — confirm a tested rollback path, validate the interim signature is enforced (Threat Prevention licence required), and verify the captive-portal listener is reachable only from authorised source ranges. Prisma Access, Cloud NGFW and Panorama are not affected. The CISA KEV deadline (2026-05-09) has already expired for FCEB agencies and per PD-13 does not drive Swiss/EU action framing on its own — the operational driver is the actively-exploited ITW status and the imminent first-wave patch ship date.

For any PA-Series / VM-Series perimeter device on PAN-OS 12.1, 11.2, 11.1, or 10.2 that has User-ID Authentication Portal or Captive Portal enabled, prepare today for the 2026-05-13 first-wave build release per Palo Alto's PSIRT advisory for CVE-2026-0300: confirm a tested rollback path, validate the change window for tomorrow, and pre-fetch release notes the moment the fixed builds publish. Until the first-wave builds ship, keep Threat Prevention signature 510019 enforced (requires Threat Prevention licence) and restrict the captive-portal listener to trusted internal source ranges. The second wave is expected around 2026-05-28 for the remaining branches (12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21, 10.2.16-h7); plan a second deployment window then. The CISA KEV deadline has expired but the operational driver here is active ITW exploitation per Unit 42 — Captive Portal Zero-Day, not the FCEB compliance date.

If you did nothing this week: any PA-Series or VM-Series firewall with the User-ID Authentication Portal enabled and internet-reachable has been within the attack window since 2026-04-09 — three weeks before public disclosure (2026-05-06) and four-and-a-half weeks before the first staged patch becomes available (2026-05-13). The daily 2026-05-09 UPDATE recorded an observed dwell time of approximately 20 days from initial compromise to second-device exploitation on at least one tracked victim; the relevant retrospective-log question is whether your firewall has been compromised since mid-April, not whether it might be compromised next week.

CVE-2026-0300 (CVSS 9.3, CWE-121 stack-based buffer overflow) is an unauthenticated remote code execution in the PAN-OS User-ID Authentication Portal — a network-accessible service that a single crafted packet exploits to root on the firewall's management plane (Palo Alto Networks Security Advisory, 2026-05-06 · Unit 42 primary research, 2026-05-06). CERT-EU issued a Critical Advisory (rare designation) on disclosure day (CERT-EU 2026-006, 2026-05-06); CERT-FR followed with CERTFR-2026-AVI-0537 (CERT-FR, 2026-05-06). Unit 42 tracks the active exploitation cluster as CL-STA-1132 and characterises it as likely state-sponsored activity. Unit 42's primary research records shellcode injection into nginx worker processes, EarthWorm / ReverseSocks5 tunnelling, and Python implants under /var/tmp/linuxupdate and /tmp/.c; the daily 2026-05-09 UPDATE additionally surfaces a rogue admin name pattern svc-health-check-[6-digit-numeric] (bypassing normal admin-role RBAC), running-configuration export including pre-shared keys, and OSPF-based internal AD enumeration — a profile consistent with T1190 Exploit Public-Facing Application, T1055 Process Injection, T1003 OS Credential Dumping, and T1572 Protocol Tunneling. Patch availability is staged 2026-05-13 → 2026-05-28 across PAN-OS branches 10.2.x / 11.1.x / 11.2.x / 12.1.x; Cloud NGFW and Prisma Access are not affected. Until patches land, the operational expectations are (1) disable the Authentication Portal entirely where it is not required, (2) restrict it to trusted internal IP ranges via security policy where it is, (3) PAN-OS 11.1+ users should confirm Threat ID 510019 is in blocking mode, and (4) review authentication-portal logs and admin-account listings from 2026-04-09 onward for retrospective compromise evidence (daily 2026-05-07 deep dive; daily 2026-05-09 update).

(First covered and deep-dived 2026-05-07.) The CISA KEV federal remediation deadline for CVE-2026-0300 is 2026-05-09 — today. Palo Alto Networks has not released a permanent patch for any PAN-OS branch; the earliest patch ETA is 2026-05-13. The mandated mitigation remains: disable the Captive Portal / Authentication Portal feature on internet-facing GlobalProtect gateway interfaces, or restrict access exclusively to trusted internal management IP ranges. PAN-OS 11.1+ deployments should confirm Threat Prevention profile with Threat ID 510019 is active on the internet-facing zone. Organisations that have not yet applied the mitigation should treat this as a P0 action today before business opens.