Emerging ThreatsMalware & Ransomware

Palo Alto Networks Discloses Active Exploitation of PAN-OS Flaw Enabling Espionage

Analyst 207||Source: TheHackerNews
Network device in a brightly-lit tech environment with blurred background infrastructure.

"The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) in PAN-OS software. Upon successful exploitation, the attacker was able to inject shellcode into an nginx worker process," Palo Alto Networks Unit 42 said.

The flaw: CVE-2026-0300 and where it lives

Palo Alto Networks has disclosed a high-severity buffer overflow vulnerability tracked as CVE-2026-0300 (CVSS score: 9.3/8.7) in the User-ID Authentication Portal service of PAN-OS software. An unauthenticated attacker who sends specially crafted packets could exploit the flaw to execute arbitrary code with root privileges on affected appliances, according to the advisory.

Observed timeline and exploit activity

Unit 42 reported detection of unsuccessful exploitation attempts against a PAN-OS device beginning April 9, 2026. Roughly a week later the adversary achieved remote code execution and injected shellcode. Following initial access, the attackers took steps to delete and clear forensic artifacts: they cleared crash kernel messages, deleted nginx crash entries and nginx crash records, and removed crash core dump files in an apparent attempt to cover tracks.

Post-exploitation actions and tools used

After gaining code execution, the actors performed Active Directory enumeration and deployed additional payloads against a second device on April 29, 2026. Unit 42 identified two tools left by the intruders: EarthWorm and ReverseSocks5. The advisory notes both tools have been previously observed in operations attributed to various China-nexus hacking groups.

Attribution, tradecraft, and target selection

Palo Alto Networks is tracking the activity under CL-STA-1132, a suspected state-sponsored threat cluster of unknown provenance. Unit 42 described the attackers' tradecraft as relying on open-source tooling rather than proprietary malware, a choice that "minimized signature-based detection and facilitated seamless environment integration." The group also used a disciplined operational cadence of intermittent interactive sessions over multiple weeks, behavior Unit 42 said was intended to remain below the behavioral thresholds of many automated alerting systems.

Unit 42 placed this episode in a broader pattern: "Over the last five years, nation-state threat actors engaged in cyber espionage have increasingly focused their efforts on edge-network technological assets, including firewalls, routers, IoT devices, hypervisors and various VPN solutions, which provide high-privilege access while often lacking the robust logging and security agents found on standard endpoints."

Vendor guidance and the immediate patch timeline

Palo Alto Networks advised customers to secure access to the PAN-OS User-ID Authentication Portal by restricting it to trusted zones or disabling the portal entirely if it is not in use. The company said fixes are expected to be released starting May 13, 2026. Until patched, those mitigations are the vendor's recommended immediate controls.

What this means for customers, security teams, and procurement

  • Customers: The advisory directly instructs customers to restrict access to the User-ID Authentication Portal or disable it if unused; fixes are not expected until May 13, 2026, so those mitigations are the immediate available options.
  • Security teams and technologists: Unit 42's findings emphasize watching for signs of tampering with nginx crash records and missing core dumps, Active Directory enumeration, and the presence of EarthWorm or ReverseSocks5 payloads—indicators specifically observed in this campaign.
  • Procurement and operations leaders: The incident illustrates the risk profile of edge-network appliances that provide high privilege but may lack endpoint-style logging; the vendor-set patch date (May 13, 2026) gives a hard deadline for planned remediation actions and change windows.

The record in Unit 42's advisory is straightforward: an exploitable PAN-OS buffer overflow (CVE-2026-0300) was probed beginning April 9, successfully exploited within days, and used to inject shellcode into an nginx worker process. The attackers then moved laterally and deployed known tooling associated with espionage operations. Palo Alto Networks' recommendation — restrict or disable the User-ID Authentication Portal and apply vendor fixes starting May 13, 2026 — is the concrete action named in the advisory. How rapidly organizations act on those instructions will determine whether this incident remains a limited exploit chain or becomes a wider espionage campaign.

https://thehackernews.com/2026/05/pan-os-rce-exploit-under-active-use.html

Buffer OverflowEmerging ThreatsEspionagePalo Alto NetworksRemote Code ExecutionUnit 42Zero-DayCVE-2026-0300PAN-OSUnauthenticated Exploitation
Related Intelligence

Continue Reading

Modern cityscape at dusk with glowing abstract computer screen.

AI-Powered Adversaries Compress Cyberattack Timeline

In early 2026, the emergence of advanced agentic AI models marked a chilling new era in cyber threats, enabling attackers to compress the time between discovery and weaponization to mere minutes. This means that the window for detecting and responding to breaches may soon be shorter than the time it takes to finish a cup of coffee.

Analyst 207
Blurred cityscape with office workstation and blank computer screen.

MuddyWater Exploits Ransomware Disguise for Cyber Espionage

The line between ransomware attacks and nation-state espionage is rapidly blurring, as cyber groups like MuddyWater now disguise their operations as financially motivated ransomware attacks to further their strategic objectives. MuddyWater, linked to Iran's Ministry of Intelligence and Security, has been caught posing as the Chaos ransomware group in a deliberate campaign.

Analyst 207
Blurred computer workstation in foreground, network equipment rack in background.

Mistic Backdoor Enables Long-Term Access in Ransomware Attacks

Cyber attackers have deployed a sneaky backdoor called Mistic, allowing them to maintain long-term access to infected systems during ransomware attacks, all while staying remarkably under the radar. This stealthy threat uses clever tactics like running payloads in memory and mimicking legitimate Microsoft security tools to evade detection.

Analyst 207
Server equipment in a clean, clinical data center environment with ambient daylight.

US Seizes Huione Cloud Account Tied to $31 Billion Cyber Scam Laundering

The US Department of Justice has seized a cloud account linked to a staggering $31 billion cyber scam laundering operation, disrupting a vast online marketplace for fraud and money laundering. This massive crackdown targeted HuiOne Group, a Cambodia-based company accused of helping scammers launder billions through its subsidiaries.

Analyst 207