PAN-OS Zero-Day CVE-2026-0300 Allows Unauthenticated RCE Through Captive Portal

Security researchers have identified a critical zero-day vulnerability, tracked as CVE-2026-0300, affecting Palo Alto Networks PAN-OS firewall firmware. The flaw enables unauthenticated remote code execution (RCE) by exploiting the Captive Portal component, which handles user authentication on network gateways. The vulnerability carries a CRITICAL severity rating and is already listed in the active digest under immediate publication review.

PAN-OS appliances are deployed globally across enterprise, government, and service provider networks as primary perimeter defense systems. Captive Portal functionality is commonly used to enforce authentication before granting network access, making this component a high-value target for threat actors seeking to gain initial foothold or pivot internally. The unauthenticated nature of the exploit significantly lowers the barrier for exploitation, as attackers do not need valid credentials to trigger the RCE condition.

Organizations running affected PAN-OS versions should monitor for official patches from Palo Alto Networks and apply mitigations such as restricting Captive Portal exposure to trusted interfaces or implementing additional network segmentation controls. The disclosure adds to a growing list of critical infrastructure vulnerabilities this period, alongside separate advisories covering sandbox escape flaws in the vm2 Node.js library and targeted intrusion activity involving operational technology assets at water utilities. The convergence of multiple high-severity vulnerabilities in network security and runtime environments signals elevated patching pressure for security teams across sectors.