## https://sploitus.com/exploit?id=D0C74A17-064A-58EA-B450-B0B95E7DBA35
# PAN-OS CVE-2026-0300 Non-Destructive Exposure Survey Tool
## Overview
This tool is a **non-destructive exposure survey utility** for assessing whether a target PAN-OS service may expose network-accessible surfaces related to **CVE-2026-0300**.
The tool is intended for authorized defensive security validation, asset exposure review, and vulnerability triage. It does **not** exploit the vulnerability, does **not** send memory-corruption payloads, and does **not** attempt to crash or compromise the target device.
## Target CVE
This tool is designed for exposure assessment related to:
- **CVE:** CVE-2026-0300
- **Vendor:** Palo Alto Networks
- **Product:** PAN-OS
- **Affected component:** User-ID Authentication Portal, also known as Captive Portal
- **Vulnerability type:** Buffer overflow / out-of-bounds write
- **Impact:** Potential unauthenticated remote code execution with root privileges on affected devices
- **Severity:** Critical
- **CVSS:** 9.3
- **Exploit maturity:** ATTACKED
According to Palo Alto Networks, CVE-2026-0300 affects PAN-OS deployments where the User-ID Authentication Portal is enabled and reachable from untrusted networks. PA-Series and VM-Series firewalls may be affected. Prisma Access, Cloud NGFW, and Panorama are listed as not affected in the official advisory.
## What This Tool Checks
The tool performs safe network and HTTP(S)-level checks to identify whether a target appears to expose PAN-OS portal-related services.
It checks:
- TCP reachability for the specified IP/port.
- HTTPS reachability.
- HTTP reachability when `--scheme both` or `--scheme http` is used.
- Safe HTTP methods only:
- `HEAD`
- `GET`
- `OPTIONS`
- Portal-related paths, including:
- `/`
- `/php/login.php`
- `/php/uid.php`
- `/php/uidlogin.php`
- `/sslmgr`
- `/global-protect/login.esp`
- HTTP response status codes.
- Basic response fingerprints that may indicate:
- PAN-OS
- Palo Alto Networks
- Captive Portal
- User-ID Authentication Portal
- GlobalProtect
- Response pages
- Optional self-reported PAN-OS version assessment using `--pan-os-ver`.
HTTPS certificate verification is disabled by default because PAN-OS administrative and portal services often use self-signed or privately issued certificates.
## What This Tool Does Not Do
This tool does **not**:
- Send exploit payloads.
- Send memory-corruption buffers.
- Attempt authentication bypass.
- Attempt remote code execution.
- Perform crash testing.
- Confirm exploitability.
- Modify the target device.
- Authenticate to PAN-OS.
- Read PAN-OS configuration directly.
The tool only provides an **external network-observable exposure assessment** and, if `--pan-os-ver` is provided, a **self-reported version-based risk assessment**.
## What You Can Learn From the Results
The tool helps answer the following questions:
### 1. Is the target port reachable?
The tool checks whether the scanner host can establish a TCP connection to the specified target and port.
Example finding:
```text
tcp=True
https=True
````
This means the target port is reachable from the scanner host and accepts HTTPS connections.
### 2. Does the service behave like an HTTP(S) service?
The tool sends safe HTTP(S) requests and records response status codes.
Example findings:
```text
HTTPS HEAD /: HTTP/1.1 403 Forbidden
HTTPS GET /php/uid.php: HTTP/1.1 500 Internal Server Error
```
This means the service is reachable and is processing HTTP(S) requests.
### 3. Are portal-related paths externally reachable?
The tool checks paths commonly associated with PAN-OS portal or response-page functionality.
Examples:
```text
/php/login.php
/php/uid.php
/php/uidlogin.php
```
Non-404 responses from these paths may indicate that portal-related handlers are reachable from the scanner host.
### 4. Does the target look like a PAN-OS/User-ID portal?
The tool looks for lightweight textual indicators in response headers, titles, redirects, cookies, and response body samples.
Examples of indicators:
```text
palo alto
pan-os
globalprotect
captive portal
user-id
authentication portal
response page
```
These indicators increase confidence that the exposed service is related to PAN-OS portal functionality.
### 5. Is the supplied PAN-OS version affected?
If `--pan-os-ver` is provided, the tool compares the supplied version against the affected/fixed thresholds from the official advisory table embedded in the script.
Example:
```bash
--pan-os-ver 10.2.4-h2
```
Example result:
```text
patch_status: AFFECTED_BY_VERSION
version_status: AFFECTED_VERSION
combined_risk=HIGH
```
If `--pan-os-ver` is not provided, the tool displays the affected/fixed version table and reports the version status as unknown.
## Installation
This tool uses only Python standard library modules.
No external Python dependencies are required.
```bash
python3 --version
```
Recommended:
```text
Python 3.8+
```
A minimal `requirements.txt` can be used:
```txt
# No external dependencies required.
# This tool uses only Python standard library modules.
```
## Basic Usage
### Scan a single target and port
```bash
python3 panos_cve_2026_0300_diag.py \
-t 172.16.20.254 \
-p 6082
```
### Scan with a self-reported PAN-OS version
```bash
python3 panos_cve_2026_0300_diag.py \
-t 172.16.20.254 \
-p 6082 \
--pan-os-ver 10.2.4-h2
```
### Show detailed per-request observations
```bash
python3 panos_cve_2026_0300_diag.py \
-t 172.16.20.254 \
-p 6082 \
--pan-os-ver 10.2.4-h2 \
--verbose
```
### Probe both HTTPS and HTTP
```bash
python3 panos_cve_2026_0300_diag.py \
-t 172.16.20.254 \
-p 6082 \
--scheme both
```
### Use minimal path probing
By default, the tool probes all safe known paths.
Use `--minimal` to check only:
* `/`
* `/php/login.php`
```bash
python3 panos_cve_2026_0300_diag.py \
-t 172.16.20.254 \
-p 6082 \
--minimal
```
### Scan multiple ports
```bash
python3 panos_cve_2026_0300_diag.py \
-t 172.16.20.254 \
-p 443,6082,6081-6083 \
--scheme both
```
### Scan a CIDR range
```bash
python3 panos_cve_2026_0300_diag.py \
-t 172.16.20.0/24 \
-p 6082 \
--csv-out results.csv \
--json-out results.json
```
### Scan targets from a file
Create `targets.txt`:
```text
172.16.20.254
172.16.20.253
172.16.21.0/24
```
Run:
```bash
python3 panos_cve_2026_0300_diag.py \
-T targets.txt \
-p 6082 \
--json-out results.json
```
## Command-Line Options
| Option | Description |
| -------------------- | ------------------------------------------------------------------- |
| `-t, --target` | Target IP, hostname, or CIDR. Comma-separated values are supported. |
| `-T, --targets-file` | File containing targets, one per line. CIDR entries are supported. |
| `-p, --ports` | Port or port range. Example: `6082`, `443,6082`, `6081-6083`. |
| `--scheme` | Probe scheme: `https`, `http`, or `both`. Default: `https`. |
| `--pan-os-ver` | Self-reported PAN-OS version, such as `10.2.4-h2`. |
| `--timeout` | Socket timeout in seconds. Default: `4.0`. |
| `--max-bytes` | Maximum response bytes to read per request. Default: `16384`. |
| `--minimal` | Probe only `/` and `/php/login.php`. |
| `--verbose` | Print all request observations. |
| `--quiet` | Reduce console output. |
| `--json-out` | Write full results to a JSON file. |
| `--csv-out` | Write summary results to a CSV file. |
## Result Interpretation
The tool produces three main types of assessment:
1. **Exposure level**
2. **Version/patch status**
3. **Combined risk**
## Exposure Level Reference
| Exposure Level | Meaning |
| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------ |
| `LIKELY_EXPOSED_AUTH_PORTAL` | PAN-OS-like and authentication portal-like indicators were observed on a reachable HTTP(S) service. |
| `POSSIBLE_EXPOSED_AUTH_PORTAL` | Portal-related paths appear reachable and behave like application handlers, but PAN-OS product/version cannot be confirmed remotely. |
| `POSSIBLE_RESPONSE_PAGE_EXPOSURE` | A portal-related path or response page appears reachable, but the product/version is not confirmed. |
| `HTTP_SERVICE_REACHABLE_ACCESS_CONTROLLED` | HTTP(S) service is reachable and access-controlled, but no clear portal fingerprint was observed. |
| `HTTP_SERVICE_REACHABLE_UNIDENTIFIED` | HTTP(S) service is reachable, but no clear PAN-OS/User-ID Portal indicators were observed. |
| `TCP_REACHABLE_SERVICE_UNIDENTIFIED` | TCP connection succeeded, but no clear HTTP response was observed. |
| `NOT_REACHABLE_FROM_THIS_SCANNER` | The scanner host could not reach the target port. |
## Confidence Reference
| Confidence | Meaning |
| ---------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
| `HIGH` | Strong external indicators were observed, such as portal-related 5xx/2xx/3xx responses or multiple portal paths returning non-404 responses. |
| `MEDIUM` | Some portal or response-page indicators were observed, but the service could not be confidently identified. |
| `LOW` | The service is reachable, but product or portal evidence is weak. |
## HTTP Status Interpretation
| Status | Interpretation |
| ------ | ------------------------------------------------------------------------------------------------------------------------------------------------- |
| `2xx` | The path returned successful content. This may indicate reachable portal content. |
| `3xx` | The path returned a redirect. This may indicate reachable portal or login workflow. |
| `403` | The path exists or is handled, but access is forbidden. |
| `404` | The path was not found. This is weaker evidence of exposure. |
| `405` | The path may exist, but the HTTP method is not allowed. This is meaningful for portal-related paths. |
| `5xx` | The request likely reached application logic and caused a server-side error. This is stronger exposure evidence, but not proof of exploitability. |
## Version Status Reference
| Version Status | Meaning |
| ------------------------------ | ------------------------------------------------------------------------------------------------------------- |
| `AFFECTED_VERSION` | The supplied PAN-OS version is affected according to the embedded advisory thresholds. |
| `POTENTIALLY_AFFECTED_VERSION` | The supplied PAN-OS version belongs to an affected family but does not clearly meet a listed fixed threshold. |
| `NOT_AFFECTED_FIXED_OR_NEWER` | The supplied PAN-OS version appears to meet or exceed a fixed threshold. |
| `NOT_SUPPLIED` | No PAN-OS version was provided with `--pan-os-ver`. |
| `UNKNOWN_FAMILY` | The supplied version family is not present in the embedded advisory table. |
| `PARSE_ERROR` | The supplied version could not be parsed. |
## Patch Status Reference
| Patch Status | Meaning |
| --------------------------------- | ------------------------------------------------------------------------------------------ |
| `AFFECTED_BY_VERSION` | The supplied version is affected according to the version table. |
| `POTENTIALLY_AFFECTED_BY_VERSION` | The supplied version should be treated as potentially affected unless confirmed otherwise. |
| `LIKELY_FIXED_BY_VERSION` | The supplied version appears fixed or newer according to the version table. |
| `UNKNOWN_VERSION_NOT_SUPPLIED` | No version was supplied. |
| `UNKNOWN_PARSE_ERROR` | The supplied version could not be parsed. |
| `UNKNOWN_UNLISTED_FAMILY` | The supplied version family is not covered by the embedded table. |
## Combined Risk Reference
| Combined Risk | Meaning |
| ------------------------------------------------------ | ------------------------------------------------------------------------------------------ |
| `HIGH` | Exposure indicators were observed and the supplied PAN-OS version is affected. |
| `HIGH_OR_MEDIUM` | Exposure indicators were observed and the supplied PAN-OS version is potentially affected. |
| `UNKNOWN_VERSION_EXPOSED_SURFACE` | Exposure indicators were observed, but no PAN-OS version was supplied. |
| `LOWER_BY_VERSION_BUT_EXPOSED` | Exposure indicators were observed, but the supplied version appears fixed or newer. |
| `VERSION_AFFECTED_BUT_NOT_REACHABLE_FROM_THIS_SCANNER` | The supplied version is affected, but this scanner host could not reach the service. |
| `VERSION_AFFECTED_SERVICE_UNCONFIRMED` | The supplied version is affected, but this scan did not confirm portal exposure. |
| `LOWER_FROM_THIS_SCANNER` | The scanner host did not observe reachability. |
| `LOWER_BY_VERSION` | The supplied version appears fixed or newer. |
| `UNKNOWN` | Collected evidence is insufficient for a confident combined assessment. |
## Example Output
Example command:
```bash
python3 panos_cve_2026_0300_diag.py \
-t 172.16.20.254 \
-p 6082 \
--pan-os-ver 10.2.4-h2 \
--verbose
```
Example result:
```text
[WARN] 172.16.20.254:6082 -> POSSIBLE_EXPOSED_AUTH_PORTAL / confidence=HIGH / combined_risk=HIGH
exposure_reason: Portal-related paths appear reachable and behave like application handlers, but PAN-OS product/version cannot be confirmed remotely.
patch_status: AFFECTED_BY_VERSION
version_status: AFFECTED_VERSION
pan_os_version: 10.2.4-h2
normalized_version: 10.2.4-h2
version_reason: Version is older than earliest fixed threshold 10.2.7-h34.
combined_reason: Exposure indicators were observed and the supplied PAN-OS version is affected by the version table.
evidence:
- HTTPS HEAD /: HTTP/1.1 403 Forbidden
- HTTPS HEAD /php/login.php: HTTP/1.1 405 Not Allowed
- HTTPS GET /php/uid.php: HTTP/1.1 500 Internal Server Error
- Portal-related PHP path returned 5xx, suggesting application handler exposure.
- Multiple portal-related PHP paths responded with non-404 statuses: /php/login.php, /php/uid.php, /php/uidlogin.php
```
This means:
* The target port is reachable.
* HTTPS is available.
* Portal-related paths are externally reachable.
* At least one portal-related path returned a 5xx response.
* The supplied PAN-OS version is affected according to the embedded version table.
* The combined risk is high.
## Exit Codes
| Exit Code | Meaning |
| --------- | -------------------------------------------------------------------------------------------------------- |
| `0` | No likely exposed portal surface was detected. |
| `1` | Possible or likely exposure was detected, or exposure was observed with unknown/affected version status. |
| `2` | Input error, such as missing target or invalid port. |
## Important Limitations
This tool cannot determine everything from the network alone.
It cannot directly confirm:
* Whether User-ID Authentication Portal is enabled in the PAN-OS configuration.
* Whether Response Pages are enabled on a specific interface management profile.
* Whether the service is reachable from all untrusted networks.
* Whether Threat Prevention signatures are enabled.
* Whether the target is actually exploitable.
* Whether the target has been compromised.
The result should be treated as an exposure and triage signal, not as proof of exploitability.
## Recommended Follow-Up Checks
If the tool reports `POSSIBLE_EXPOSED_AUTH_PORTAL`, `LIKELY_EXPOSED_AUTH_PORTAL`, or `HIGH`, review the following on the PAN-OS device:
* Confirm the installed PAN-OS version.
* Confirm whether User-ID Authentication Portal / Captive Portal is enabled.
* Confirm whether Response Pages are enabled on interfaces reachable from untrusted networks.
* Confirm whether the service is reachable from the Internet or other untrusted zones.
* Confirm whether the relevant Threat Prevention content and signatures are installed and enabled.
* Review system, threat, and traffic logs for unusual requests to portal-related paths.
* Apply the vendor-recommended fixed version or mitigation.
## Official Information Links
* Palo Alto Networks Security Advisory for CVE-2026-0300:
[https://security.paloaltonetworks.com/CVE-2026-0300](https://security.paloaltonetworks.com/CVE-2026-0300)
* Palo Alto Networks Security Advisories Portal:
[https://security.paloaltonetworks.com/](https://security.paloaltonetworks.com/)
* CISA Known Exploited Vulnerabilities Catalog:
[https://www.cisa.gov/known-exploited-vulnerabilities-catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
* NIST National Vulnerability Database entry:
[https://nvd.nist.gov/vuln/detail/CVE-2026-0300](https://nvd.nist.gov/vuln/detail/CVE-2026-0300)
## Notes
Always verify the latest vendor advisory before making production decisions. The affected and fixed version table in this tool should be reviewed and updated if Palo Alto Networks revises the advisory.
This tool is intended for authorized defensive use only.