Captive Portal RCE
6 May 2026. CVE-2026-0300 reaches NVD the same day CISA adds it to the KEV catalog: unauthenticated RCE on PA-Series and VM-Series when the User-ID Authentication Portal touches untrusted networks.
Briefing
A firewall template placed User-ID Authentication Portal response pages on an untrusted interface. You work the real defender loop: config exposure, inbound scan, threat log, and an emergency commit that removes the portal from the internet-facing zone.
Your role
Network security engineer validating exposure on internet-adjacent firewalls.
Objective
Prove whether the captive portal was exposed, trace the scan to a threat log hit, then verify the zone-level workaround.
Terminal environment
- user
- responder
- host
- jump-netops
- cwd
- /home/neteng/panos-ir
- steps
- 8
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.