Share This:

Cybersecurity Threat AdvisoryThreat actors are actively exploiting a PAN‑OS zero‑day that impacts the User‑ID Authentication (Captive) Portal. This exploit enables unauthenticated remote code execution with root privileges on PA‑Series and VM‑Series firewalls. Continue reading this Cybersecurity Threat Advisory to learn how to minimize its impact on your environment.

What is the threat?

This buffer overflow vulnerability in the PAN‑OS User‑ID Authentication Portal allows an unauthenticated attacker to execute arbitrary code with root privileges on vulnerable PA‑Series and VM‑Series firewalls by sending specially crafted packets. In observed intrusions, attackers achieved code execution by injecting shellcode into an NGINX worker process that handles portal traffic. After gaining access, they deployed open‑source tunneling utilities (for example, Earthworm and ReverseSocks5), used firewall‑stored credentials to conduct directory reconnaissance, and deliberately deleted logs and files to conceal evidence of exploitation.

Why is it noteworthy?

This threat stands out because it exploits an unauthenticated zero‑day remote code execution flaw on perimeter firewalls, potentially granting attackers full control of systems that sit at the network edge and often hold high privileges, visibility into sensitive traffic, and access to identity infrastructure. The observed activity shows disciplined tradecraft, including living‑off‑the‑land techniques, intermittent interactive access, identity abuse for lateral movement, and targeted log tampering to evade detection. While current exploitation appears limited, environments that expose the User-ID Authentication Portal to untrusted networks may face a broad attack surface, making rapid mitigation critical.

What is the exposure or risk?

Organizations that expose the PAN‑OS User‑ID Authentication Portal to untrusted networks face immediate risk. Successful exploitation can give attackers full root‑level control of the firewall, allowing configuration tampering, persistence, credential theft, and Active Directory or domain reconnaissance using service accounts stored on the device. Attackers may also establish covert tunnels to pivot deeper into the environment and exfiltrate data, while deleting logs and artifacts to hinder incident response and extend dwell time.

What are the recommendations?

Barracuda strongly recommends taking the following actions to secure environments:

  • Identify exposure:
    • Inventory all PA‑Series and VM‑Series firewalls and determine whether the User‑ID Authentication (Captive) Portal is enabled and reachable from untrusted networks.
    • Map ingress zones and interfaces to identify any internet‑ or partner‑facing exposure.
    • Confirm that Prisma Access, Cloud NGFW, and Panorama deployments are not affected.
  • Apply immediate mitigations:
    • Restrict Captive Portal access to trusted internal networks only; ensure it is not publicly reachable.
    • Disable Response Pages on interface management profiles attached to untrusted or internet‑ingress Layer‑3 interfaces.
    • Disable the Captive Portal entirely if it is not required.
    • Enable Threat ID 510019 and update to Applications and Threats content version 9097‑10022 or later (Advanced Threat Prevention customers).
    • Ensure PAN‑OS 11.1 or later for decoder support.
  • Hardening network and management controls:
    • Isolate the management plane using dedicated admin networks or VPN access with MFA and IP allow‑listing.
    • Place internet‑facing services behind trusted proxies where feasible.
    • Forward all firewall logs to an off‑device SIEM or secure log repository in near‑real time.
  • Detection and hunt for exploitation:
    • Inspect exposed devices for abnormal NGINX worker behavior, crashes, core dumps, or ptrace usage.
    • Review system, crash, and NGINX logs for gaps or deletion near suspected exploitation windows.
    • Hunt for tunneling tools (e.g., Earthworm, ReverseSocks5), directory reconnaissance using firewall service accounts, and anomalous outbound connections or SOCKS tunnels.
    • Monitor for suspicious Active Directory queries, credential use, and high‑volume SAML authentication anomalies.
  • Respond and recover:
    • Immediately isolate any suspected compromised device and preserve logs and artifacts.
    • Engage vendor support and incident response teams.
    • Re‑image affected devices to a known‑good PAN‑OS build and restore validated configurations.
    • Rotate all firewall‑associated credentials, secrets, API keys, and certificates.
    • Validate HA peers for secondary compromise.
  • Strengthen governance and assurance:
    • Enforce rapid patching and content‑update SLAs for internet‑exposed services.
    • Routinely verify that the Captive Portal is not exposed to untrusted networks.
    • Continuously monitor the external attack surface and track vendor advisories for timely action.

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.


Share This:
Aniket Kapoor

Posted by Aniket Kapoor

Aniket is a Cybersecurity Analyst at Barracuda MSP. He's a security expert, working on our Blue Team within our Security Operations Center. Aniket supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

All Posts

Leave a reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.