Emerging ThreatsMalware & Ransomware

Palo Alto Networks Discloses Zero-Day Flaw in PAN-OS Software

Analyst 207||Source: Unit42
Network security device on a rack in a clean, bright environment.

"We are aware of only limited exploitation of CVE-2026-0300 at this time," Palo Alto Networks' Unit 42 warned in its May 6, 2026 advisory, describing a buffer overflow in the PAN-OS User‑ID Authentication Portal that permits unauthenticated remote code execution with root privileges.

CVE-2026-0300: what is vulnerable and where the risk is highest

The vulnerability, tracked as CVE-2026-0300, is a buffer overflow in the User‑ID Authentication Portal (also called the Captive Portal) service in PAN‑OS. An unauthenticated attacker can send specially crafted packets and achieve arbitrary code execution as root on PA‑Series and VM‑Series firewalls. Palo Alto Networks noted that Prisma Access, Cloud NGFW and Panorama appliances are unaffected.

Unit 42 emphasized that the risk of unauthenticated RCE is "significantly elevated" when the User‑ID Authentication Portal is exposed to the public internet or other untrusted networks, and that restricting Portal access to trusted internal IPs or disabling the portal when not required will greatly mitigate risk.

Observed exploitation: timeline and operator behavior (CL‑STA‑1132)

Unit 42 is tracking a cluster of activity it calls CL‑STA‑1132. According to the advisory, exploitation attempts began on April 9, 2026 with unsuccessful probes. About a week later attackers achieved RCE on a PAN‑OS device and injected shellcode into an nginx worker process. The attackers followed immediate steps to remove artifacts from the system, then—four days after initial compromise—deployed additional tools with root privileges and used credentials likely obtained from the firewall to perform Active Directory enumeration.

On April 29, 2026, the attackers staged a Security Assertion Markup Language (SAML) flood that caused a second device to be promoted to Active and inherit the same internet‑facing traffic; RCE was then achieved on that second device and EarthWorm and ReverseSocks5 were downloaded.

Post‑compromise actions and forensic traces

Following successful exploitation, Unit 42 observed immediate and systematic log cleanup: clearing crash kernel messages, deleting nginx crash entries and crash records, and removing crash core dump files. Later, the attackers deleted ptrace injection evidence from the audit log and removed a SetUserID (SUID) privilege escalation binary.

Post‑exploit activity included deploying publicly available tunneling tools, conducting AD enumeration targeting domain root and DomainDnsZones using the firewall's service account credentials, and establishing covert tunnels for lateral access and data bridging.

Open‑source tunneling tools: EarthWorm and ReverseSocks5

Unit 42 details two open‑source tools used in the campaign. EarthWorm is a C‑based network tunneling tool that functions as a SOCKS v5 server and port transfer utility across Windows, Linux, macOS and ARM/MIPS. Its capabilities include initiating forward SOCKS5 servers, establishing reverse SOCKS5 tunnels from internal hosts to external bridges, bridging data between listening ports to facilitate pivot management, forwarding local ports to remote destinations, and chaining transfer modes to build multi‑hop tunnels. Unit 42 maps these behaviors to MITRE techniques T1090 and T1572 and notes prior EarthWorm use by the actors behind CL‑STA‑0046, Volt Typhoon, UAT‑8337 and APT41.

ReverseSocks5 establishes an outbound connection from a compromised host to a controller and then creates a SOCKS5 proxy tunnel, enabling an external controller to route traffic into the target network. Unit 42 notes that because these tools' source code is public, they are commonly used by administrators and by threat actors for pivoting.

Mitigations, detections and available protections

Palo Alto Networks published concrete mitigations: restrict the User‑ID Authentication Portal to trusted zones and disable Response Pages in the Interface Management Profile on any L3 interface that receives untrusted or internet traffic; keep Response Pages enabled only on trust/internal interfaces. Customers may also disable the User‑ID Authentication Portal entirely if it is not required.

Technical protections include enabling Threat ID 510019 in the Applications and Threats content (version 9097‑10022) for customers with an Advanced Threat Prevention subscription; decoder capabilities for that Threat ID require PAN‑OS 11.1 or later. Advanced WildFire machine‑learning models and analysis have been updated to address indicators associated with this activity. Advanced URL Filtering and Advanced DNS Security have identified known malicious URLs and domains tied to the campaign. Palo Alto Networks' Cortex Xpanse can be used to identify exposed instances of the User‑ID Authentication Portal that may be vulnerable to CVE‑2026‑0300.

Unit 42 also published operational indicators, including IP addresses (for example 67.206.213[.]86 and 146.70.100[.]69 listed as C2 staging), a reported EarthWorm download URL (hxxp[:]//146.70.100[.]69:8000/php_sess), a ReverseSocks5 GitHub release URL, a file hash for EarthWorm, an attacker user agent string, and paths where tunneling tools were observed (for example /var/tmp/linuxap, /tmp/R5, /var/R5).

What this means for security teams, procurement leaders, and network operators

  • Security teams: prioritize detection and containment on exposed User‑ID Authentication Portals, apply the mitigation steps (restrict portal access, disable Response Pages on untrusted interfaces), and enable Threat ID 510019 if eligible; use Cortex Xpanse to hunt for externally reachable portals.
  • Procurement and asset managers: validate whether PA‑Series or VM‑Series devices in service expose the User‑ID Authentication Portal to untrusted networks and confirm PAN‑OS versions and subscription features (Advanced Threat Prevention) required for available protections.
  • Network operators: expect attackers to favor low‑noise, non‑persistent access windows and open‑source tunneling tools for pivoting; maintain forensics readiness to detect log cleanup and deleted artifacts described by Unit 42 and be prepared to engage Unit 42 Incident Response if compromise is suspected.

Unit 42 has offered Incident Response engagement and published regional contact numbers for organizations needing urgent assistance. The advisory underscores that this cluster—CL‑STA‑1132—relied on operational restraint and open‑source tooling to remain beneath many automated alerts, illustrating why edge‑network assets with high privileges warrant immediate attention.

https://unit42.paloaltonetworks.com/captive-portal-zero-day/

Buffer OverflowEmerging ThreatsNetwork SecurityPalo Alto NetworksRemote Code ExecutionZero-DayCVE-2026-0300PAN-OSFirewall Vulnerability
Related Intelligence

Continue Reading

Dimly lit home network setup with outdated routers, tangled cables, and old equipment.

AryStinger Botnet Exploits Flaws in Thousands of D-Link Routers

Meet AryStinger, a sneaky botnet that's hijacked over 4,000 outdated D-Link routers worldwide, turning them into a powerful tool for hackers to carry out stealthy scans and attacks. This malware mastermind breaks down massive tasks into tiny chunks, distributing them across its zombie network for lightning-fast execution.

Analyst 207
Person typing on a keyboard with a blank laptop screen in front, face turned away.

Prinz Eugen Ransomware Targets Critical Files in Hands-On Attacks

Meet Prinz Eugen, a sneaky ransomware that uses hands-on tactics to target critical files, evading detection by deliberately leaving no ransom note behind. Its operators use stolen RDP credentials and remote monitoring tools to manually infiltrate and take control of systems.

Analyst 207
Financial sector setting with technology integration and cityscape in background.

Microsoft attributes Mastra AI supply chain attack to North Korean hackers Sapphire Sleet

Microsoft warns that a recent supply chain attack on the Mastra AI npm environment was carried out by Sapphire Sleet, a notorious North Korean hacking group known for targeting the financial sector. This latest incident is part of a larger pattern of attacks that exploit open-source distribution channels.

Analyst 207
WordPress dashboard screen with a highlighted API key field and a warning symbol nearby.

Hackers Exploit Gravity SMTP Plugin Bug to Expose API Keys

Malicious hackers are racing to exploit a vulnerability in the Gravity SMTP plugin, which has been installed on around 100,000 WordPress sites, to get their hands on sensitive API keys. Over 17 million exploit attempts have already been blocked by Wordfence, highlighting the urgent need for site owners to update to version 2.1.5.

Analyst 207