ctipilot.chSwitzerland · Europe · Public sector

Palo Alto PAN-OS Captive Portal — unauthenticated root RCE (CVSS 9.3, ITW, KEV deadline 2026-05-09)

cve · CVE-2026-0300

Coverage timeline
3
first 2026-05-07 → last 2026-05-09
Briefs
3
3 distinct
Sources cited
7
6 hosts
Sections touched
2
active_vulns, updates
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-09CTI Daily Brief — 2026-05-09
    updatesUPDATE: KEV deadline TODAY 2026-05-09. No patch released yet (expected 2026-05-13). CL-STA-1132 post-exploitation detail: rogue admin accounts (svc-health-check-NNNNNN), Python tunnelling implants under /tmp/.update-service, 4-17 day dwell time.
  2. 2026-05-08CTI Daily Brief — 2026-05-08
    updatesUPDATE: CISA KEV deadline is today (2026-05-09). No patch until 2026-05-13. Mitigation (disable Captive Portal or restrict to internal IPs) must be confirmed applied; treat as P0.
  3. 2026-05-07CTI Daily Brief — 2026-05-07
    active_vulnsFirst coverage. Critical unauthenticated RCE in PAN-OS Captive Portal; CERT-EU Critical Advisory 2026-006; CISA KEV deadline 2026-05-09; exploitation since 2026-04-09 by CL-STA-1132 (likely state-sponsored); no patch until 2026-05-13. Deep dive § 5.

Where this entity is cited

  • updates2
  • active_vulns1

Source distribution

  • attack.mitre.org2 (29%)
  • security.paloaltonetworks.com1 (14%)
  • cert.europa.eu1 (14%)
  • cert.ssi.gouv.fr1 (14%)
  • cisa.gov1 (14%)
  • unit42.paloaltonetworks.com1 (14%)

External references

NVD · cve.org · CISA KEV

All cited sources (7)

Items in briefs about Palo Alto PAN-OS Captive Portal — unauthenticated root RCE (CVSS 9.3, ITW, KEV deadline 2026-05-09) (1)

UPDATE — CVE-2026-0300 (PAN-OS Captive Portal unauthenticated root RCE): CISA KEV deadline is **today (2026-05-09)**; no patch until 2026-05-13

From CTI Daily Brief — 2026-05-08 · published 2026-05-10 · view item permalink →

(First covered and deep-dived 2026-05-07.) The CISA KEV federal remediation deadline for CVE-2026-0300 is 2026-05-09 — today. Palo Alto Networks has not released a permanent patch for any PAN-OS branch; the earliest patch ETA is 2026-05-13. The mandated mitigation remains: disable the Captive Portal / Authentication Portal feature on internet-facing GlobalProtect gateway interfaces, or restrict access exclusively to trusted internal management IP ranges. PAN-OS 11.1+ deployments should confirm Threat Prevention profile with Threat ID 510019 is active on the internet-facing zone. Organisations that have not yet applied the mitigation should treat this as a P0 action today before business opens.