
User-ID Authentication Portal
PAN-OS component handling user identity authentication via captive portal.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for User-ID Authentication Portal
Identified as the captive portal component exploited via crafted packet
Cybersecurity: Threats and Defences: CISA deadline for PAN-OS RCE lands four days earlyWhat is PAN-OS User-ID Authentication Portal?
What is CVE-2026-0300 in PAN-OS?
How was the PAN-OS portal vulnerability exploited?
Background
The User-ID Authentication Portal is a component of Palo Alto Networks' PAN-OS operating system, the software that runs Palo Alto Networks' next-generation firewalls (NGFWs). The User-ID feature maps network IP addresses to specific user identities using a combination of agent-based methods, server-monitoring (Active Directory, LDAP), syslog, and an Authentication Portal — a browser-based captive portal that challenges users for credentials when the firewall cannot determine their identity through passive means. This portal is typically accessible from the LAN or management interface, and in misconfigured deployments, sometimes from the internet.
PAN-OS's User-ID framework is a central feature for identity-based policy enforcement, enabling administrators to write firewall rules based on user and group identity rather than source IP alone. The Authentication Portal is the user-facing login page within this framework, handling credential collection and forwarding identity assertions to PAN-OS policy engines.
CVE-2026-0300 is a critical-severity vulnerability in the User-ID Authentication Portal. It was the subject of a CISA Binding Operational Directive deadline in U#3 and was actively exploited by the Chinese-nexus threat actor CL-STA-1132, which used it as the initial access vector for a campaign beginning 16 April 2026 . The attacker injected shellcode into the nginx worker process handling portal requests and then deployed EarthWorm and ReverseSocks5 tunnels for command-and-control masking.