CVE-2026-0300: PAN-OS Captive Portal RCE Threat to SAMA Banks

On May 6, 2026, CISA added CVE-2026-0300 — a critical buffer overflow in Palo Alto Networks PAN-OS — to its Known Exploited Vulnerabilities catalog. The flaw allows unauthenticated attackers to execute arbitrary code as root on PA-Series and VM-Series firewalls, and active exploitation is already underway against internet-exposed User-ID Authentication Portals.

Inside the PAN-OS Captive Portal Buffer Overflow

CVE-2026-0300 lives inside the User-ID Authentication Portal — historically known as the Captive Portal — a service that handles user identity assertions for authentication and policy enforcement. The vulnerability is rooted in CWE-787 (Out-of-bounds Write): the portal fails to validate the length of incoming data before copying it into a fixed-size memory buffer. A specially crafted packet sent to a vulnerable PA-Series or VM-Series firewall overflows that buffer and gives the attacker arbitrary code execution at root level.

No credentials are required. No user interaction is required. The CVSS 3.1 score reaches 9.3 when the portal is reachable from an untrusted network or the public internet. Prisma Access, Cloud NGFW, and Panorama management appliances are not affected — but on-premise PA-Series and VM-Series firewalls running PAN-OS with Captive Portal enabled are squarely in scope.

Why This Vulnerability Hits the Saudi Financial Sector Hard

Palo Alto Networks NGFWs are among the most widely deployed perimeter and segmentation platforms inside Saudi Tier-1 banks, payment processors, and fintech subsidiaries. They terminate inbound corporate VPNs, segment the SWIFT zone from corporate LAN, broker traffic between PCI-DSS cardholder data environments and shared services, and frequently host User-ID for SSO into core banking and treasury applications.

An attacker who lands root on a perimeter firewall does not stop at the perimeter. They can dump configuration secrets, pivot into management VLANs, manipulate firewall rules to create persistent backdoors, and harvest authentication artifacts that enable lateral movement into Active Directory and downstream banking applications. For institutions running SWIFT CSP, an unmitigated firewall compromise breaks several mandatory controls in a single step.

Impact on SAMA, NCA, and PCI-DSS Compliance

Under the SAMA Cyber Security Framework and the updated SAMA Cybersecurity Control Compliance (CSCC), regulated entities must demonstrate effective vulnerability management (3.3.14), network segmentation (3.3.13), and timely patching of internet-facing systems. CVE-2026-0300 directly tests all three. Failure to remediate a publicly known, actively exploited RCE on the perimeter would be a clear control gap during SAMA on-site inspections or independent assurance reviews.

The NCA Essential Cybersecurity Controls (ECC-1:2018) require the same posture under controls 2-10-3 (vulnerability management) and 2-12-3 (network security). For banks subject to PCI-DSS v4.0, requirement 6.3.3 mandates patching critical vulnerabilities within one month — and 11.5.1 requires monitoring for changes to critical files on perimeter devices, which a root-level compromise would silently defeat. PDPL obligations on confidentiality and integrity of personal data are also implicated if customer data passes through an exploited firewall.

Recommended Actions for SAMA-Regulated Institutions

1. Patch immediately. Upgrade PAN-OS to the fixed builds listed in the Palo Alto Networks security advisory for CVE-2026-0300. Treat this as an emergency change with executive sign-off, not a routine maintenance window.
2. Restrict Captive Portal exposure. Remove the User-ID Authentication Portal from any internet-facing or untrusted-zone interface. Bind it only to trusted internal management or user VLANs, enforced by interface-level ACLs.
3. Hunt for prior compromise. Review PAN-OS system, traffic, and authd logs for unexpected portal hits, malformed HTTP requests, unexpected outbound connections from the management plane, and new admin accounts. Correlate against EDR telemetry on adjacent jump hosts.
4. Rotate firewall secrets. Assume memory disclosure may have leaked credentials. Rotate local admin passwords, API keys, RADIUS/TACACS shared secrets, and any IPsec/SSL VPN pre-shared keys terminated on affected appliances.
5. Validate segmentation controls. Confirm that an attacker on a compromised perimeter firewall cannot reach the SWIFT secure zone, the cardholder data environment, or Active Directory tier-0 assets without additional authentication and inspection.
6. Notify SAMA and report internally. Where the institution falls under SAMA cyber-incident reporting thresholds, document detection, scope, and remediation actions as part of the regulatory communication.

Conclusion

CVE-2026-0300 is exactly the class of pre-authentication, root-level perimeter flaw that turns a single missed patch cycle into a regulator-reportable incident. With CISA enforcing mitigation by May 9, 2026, and active exploitation already documented, Saudi banks cannot treat this as a standard quarterly fix. The combination of internet exposure, root access, and identity-portal blast radius makes this a board-level risk for any institution operating PA-Series or VM-Series firewalls.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment, perimeter exposure review, and PAN-OS hardening validation aligned with SAMA CSCC, NCA ECC, and PCI-DSS v4.0.