Breaking: Palo Alto Networks Rushes Patch for Captive Portal Zero-Day
A critical zero-day vulnerability, designated CVE-2026-0300, is being actively exploited to compromise Palo Alto Networks firewalls. The flaw resides in the Captive Portal service of PAN-OS software on PA and VM series appliances.
Security researchers confirm targeted attacks are underway, forcing Palo Alto to issue an emergency patch. “This is a serious threat to enterprise networks globally,” warned Dr. Lisa Chen, a senior threat analyst at CyberDefend Labs.
Exploitation Details
The vulnerability allows unauthenticated remote code execution with elevated privileges on affected firewalls. Attackers can bypass authentication controls through specially crafted HTTP requests to the Captive Portal endpoint.
Palo Alto Networks disclosed that the zero-day was reported by external researchers after evidence of exploitation in the wild. “We urge all customers to apply the patch immediately,” stated Tom Torres, Palo Alto’s VP of Product Security, in an internal advisory obtained by CyberWire Today.
Background
PAN-OS is the operating system powering Palo Alto Networks’ next-generation firewalls (PA Series) and virtualized firewall appliances (VM Series). The Captive Portal feature is commonly used to enforce network access policies, such as guest Wi-Fi authentication.
This is not the first time Captive Portal has been a vector for critical vulnerabilities. In 2023, a similar flaw (CVE-2023-0001) was exploited by state-sponsored groups. The current CVE-2026-0300 shares architectural similarities but exploits a different code path.
What This Means
For organizations relying on Palo Alto firewalls, the window between detection and exploitation is shrinking. “Security teams must prioritize patching even if it means scheduling downtime,” urged Mark Hernandez, CISO of a Fortune 500 firm and former DoD cyber advisor.
Delaying remediation could allow attackers to pivot inside networks, exfiltrate data, or deploy ransomware. The vulnerability affects all versions of PAN-OS prior to the forthcoming hotfix, which is expected within 48 hours.
Mitigation Steps for Immediate Action
- Identify vulnerable PA and VM appliances running PAN-OS without the patch.
- Restrict access to Captive Portal ports (default TCP 6082) at the network perimeter as a temporary workaround.
- Monitor logs for unusual HTTP requests targeting the Captive Portal endpoint.
- Apply the emergency hotfix as soon as it is released via Palo Alto’s support portal.
For a step-by-step guide, refer to our related article: How to Harden Your Palo Alto Captive Portal Configuration.
Additional resources: CVE-2026-0300 – Full Technical Analysis.