User-ID Authentication Portal
PAN-OS component handling user identity authentication via captive portal.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for User-ID Authentication Portal
Identified as the captive portal component exploited via crafted packet
Cybersecurity: Threats and Defences: CISA deadline for PAN-OS RCE lands four days early- What is PAN-OS User-ID Authentication Portal?
- The PAN-OS User-ID Authentication Portal is a captive portal component of Palo Alto Networks firewalls that presents a login page to network users whose identities cannot be determined by passive monitoring, mapping their credentials to firewall policy rules.
- What is CVE-2026-0300 in PAN-OS?
- CVE-2026-0300 is a critical Remote Code Execution vulnerability in the PAN-OS User-ID Authentication Portal, actively exploited by Chinese-nexus threat actor CL-STA-1132 from 16 April 2026. CISA mandated patching under a Binding Operational Directive.Source: event
- How was the PAN-OS portal vulnerability exploited?
- CL-STA-1132 exploited CVE-2026-0300 to inject shellcode into the nginx worker process handling the Authentication Portal, then deployed EarthWorm and ReverseSocks5 tunnelling tools for covert command-and-control and deleted logs to hinder forensic recovery.Source: event
Background
The User-ID Authentication Portal is a component of Palo Alto Networks' PAN-OS operating system, the software that runs Palo Alto Networks' next-generation firewalls (NGFWs). The User-ID feature maps network IP addresses to specific user identities using a combination of agent-based methods, server-monitoring (Active Directory, LDAP), syslog, and an Authentication Portal — a browser-based captive portal that challenges users for credentials when the firewall cannot determine their identity through passive means. This portal is typically accessible from the LAN or management interface, and in misconfigured deployments, sometimes from the internet.
PAN-OS's User-ID framework is a central feature for identity-based policy enforcement, enabling administrators to write firewall rules based on user and group identity rather than source IP alone. The Authentication Portal is the user-facing login page within this framework, handling credential collection and forwarding identity assertions to PAN-OS policy engines.
CVE-2026-0300 is a critical-severity vulnerability in the User-ID Authentication Portal. It was the subject of a CISA Binding Operational Directive deadline in U#3 and was actively exploited by the Chinese-nexus threat actor CL-STA-1132, which used it as the initial access vector for a campaign beginning 16 April 2026 . The attacker injected shellcode into the nginx worker process handling portal requests and then deployed EarthWorm and ReverseSocks5 tunnels for command-and-control masking.