{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/pa-series-firewalls/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PAN-OS","PA-Series firewalls","VM-Series firewalls"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","rce","network"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eA critical vulnerability resides within the Authentication Portal, also known as Captive Portal, service of PAN-OS, the operating system for Palo Alto Networks next-generation firewalls. This flaw enables an unauthenticated remote attacker to execute arbitrary code with root privileges on affected firewalls. The vulnerability impacts PA-Series and VM-Series firewalls. Successful exploitation bypasses authentication and grants the attacker complete control over the firewall, potentially leading to network compromise, data exfiltration, or denial of service. Defenders must promptly apply the appropriate patches or mitigations to prevent exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable PAN-OS firewall with the Authentication Portal service enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious network packet specifically designed to exploit the vulnerability in the Authentication Portal service.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the specially crafted packet to the targeted firewall on the port used by the Authentication Portal service (typically TCP port 443).\u003c/li\u003e\n\u003cli\u003eThe vulnerable code within the Authentication Portal service fails to properly handle the malicious packet.\u003c/li\u003e\n\u003cli\u003eThis leads to a buffer overflow or other memory corruption error.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this memory corruption to inject and execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with root privileges due to the elevated permissions of the Authentication Portal service.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control over the firewall and can perform actions such as modifying firewall rules, accessing sensitive data, or pivoting to other internal networks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants an unauthenticated attacker complete control over the affected Palo Alto Networks firewalls. This can lead to a complete compromise of the network perimeter, allowing attackers to bypass security controls, exfiltrate sensitive data, or launch further attacks against internal systems. The root-level access obtained enables attackers to disable security features, modify configurations, and potentially use the compromised firewall as a persistent backdoor.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patches released by Palo Alto Networks immediately to all affected PA-Series and VM-Series firewalls running PAN-OS to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious packets targeting the Authentication Portal service on PAN-OS firewalls, using a network intrusion detection system (NIDS).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PAN-OS Authentication Portal Exploitation Attempt\u0026rdquo; to detect malicious packets attempting to exploit the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T14:00:00Z","date_published":"2026-05-07T14:00:00Z","id":"/briefs/2026-05-panos-rce/","summary":"An unauthenticated remote code execution vulnerability exists in the PAN-OS Authentication Portal (Captive Portal) service, potentially allowing attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending crafted network packets.","title":"PAN-OS Authentication Portal Remote Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-panos-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — PA-Series Firewalls","version":"https://jsonfeed.org/version/1.1"}