PAN-OS Zero-Day CVE-2026-0300 Enables Unauthenticated RCE via Captive Portal

Unit 42 has published a threat brief on CVE-2026-0300, a buffer overflow in the PAN-OS User-ID Authentication Portal (Captive Portal) that allows unauthenticated remote code execution. The vulnerability is under active exploitation against Palo Alto Networks firewalls. A patch has not yet been released; Palo Alto Networks stated fixes will ship in releases over the next two weeks. Organizations using PAN-OS should apply available mitigations immediately, disable the captive portal feature if not required, and monitor for exploitation indicators.