Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2026-0300 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-0300 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-0300 is an out-of-bounds write vulnerability in the User-ID Authentication Portal (Captive Portal) service of Palo Alto Networks PAN-OS, affecting PA-Series and VM-Series firewall platforms.

Technical Detail

The flaw resides in the Captive Portal service, which handles unauthenticated network-facing requests as part of the User-ID authentication workflow. An unauthenticated remote attacker can trigger the out-of-bounds write condition by sending specially crafted packets to the affected service, resulting in arbitrary code execution with root privileges on the underlying firewall operating system. Successful exploitation grants full system compromise of the affected device, including the ability to modify configurations, intercept traffic, and pivot into protected network segments.

Exploitation Status

CISA has confirmed active exploitation in the wild, adding this vulnerability to the Known Exploited Vulnerabilities catalog on May 6, 2026. The exploit maturity is rated Operational, meaning functional exploit code capable of reliable exploitation exists and is being used in real-world attacks. This is not limited to proof-of-concept demonstrations; the vulnerability is being actively weaponized against production systems.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. Given the nature of the vulnerability, which provides unauthenticated root-level access to perimeter firewall infrastructure, it is consistent with targeting patterns used by both nation-state actors and financially motivated groups, but no named actors or campaigns have been formally attributed to exploitation of this CVE.

What To Do

Organizations running PAN-OS on PA-Series or VM-Series firewalls should treat this as an emergency patching priority. Per CISA's Known Exploited Vulnerabilities catalog, federal agencies are required to apply patches or implement mitigations by the deadline associated with the May 6, 2026 listing. All organizations should apply the vendor-supplied patch immediately without waiting for a scheduled maintenance window. As an interim measure, if patching cannot be applied immediately, consider restricting or disabling access to the Captive Portal service from untrusted network segments and ensuring the management interface is not exposed to the internet. Monitor firewall logs for anomalous authentication portal activity, unexpected process execution, or configuration changes that cannot be attributed to authorized administrative actions. Verify device integrity using Palo Alto Networks' recommended validation procedures following any suspected exposure.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →