Skip to main content
Emerging ThreatsMalware & Ransomware

State-sponsored hackers exploit Palo Alto Networks firewall zero-day

Network security device on a rack in a brightly-lit data center server room.
"We are aware of only limited exploitation of CVE-2026-0300 at this time. Unit 42 is tracking CL-STA-1132, a cluster of likely state-sponsored threat activity exploiting CVE-2026-0300." — Palo Alto Networks

CVE-2026-0300 and the PAN-OS User-ID Authentication Portal

Palo Alto Networks has warned customers about CVE-2026-0300, a critical remote code execution flaw in the PAN-OS User-ID Authentication Portal (also called the Captive Portal). The vulnerability stems from a buffer overflow that can allow unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls. The company said the flaw does not impact Cloud NGFW or Panorama appliances.

Observed timeline and attacker activity tracked as CL-STA-1132

According to Palo Alto Networks' Unit 42, exploitation activity began in early April. "Starting April 9, 2026, there were unsuccessful exploitation attempts against a PAN-OS device. A week later, the attackers successfully achieved RCE against the device and injected shellcode," the company said. After compromise, attackers immediately conducted log cleanup to hinder detection by clearing crash kernel messages, deleting nginx crash entries and nginx crash records, and removing crash core dump files.

Tools deployed post‑compromise: EarthWorm and ReverseSocks5

Following successful exploitation, attackers deployed the open-source EarthWorm and ReverseSocks5 network-tunneling tools on compromised firewalls. Palo Alto Networks described EarthWorm as a tool that allows threat actors to set up covert communications across restricted networks, while ReverseSocks5 creates outbound SOCKS v5 proxy tunnels that can bypass NAT and firewall restrictions. The report notes EarthWorm has previously been used in attacks linked to CL-STA-0046, Volt Typhoon, UAT-8337, and APT41 Chinese-speaking threat groups.

Scope of exposure: Shadowserver counts and CISA emergency actions

Internet threat watchdog Shadowserver now tracks over 5,400 PAN-OS VM-series firewalls exposed to the Internet, most located in Asia (2,466) and North America (1,998). In response to CVE-2026-0300, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the zero-day to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch agencies to secure vulnerable firewalls by Saturday midnight, May 9. The advisory appears against a background in which edge network devices are attractive targets because they often lack the logging and security software found on endpoints; in February, CISA issued Binding Operational Directive 26-02, requiring agencies to remove network edge devices that no longer receive security updates from manufacturers.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: Until patches are available, Palo Alto Networks "strongly" advised customers to secure access to the PAN-OS User-ID Authentication Portal by restricting access to trusted zones only or disabling the portal if that is not possible. Administrators can check whether their firewalls are configured to run the vulnerable service via Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal.
  • Policymakers and federal IT managers: CISA's KEV listing and the May 9 directive impose an immediate requirement for Federal Civilian Executive Branch agencies to act quickly to secure or isolate affected firewalls.
  • Affected enterprises and procurement leaders: Shadowserver's count of more than 5,400 exposed VM-series instances underscores a broad attack surface; organizations that rely on PA-Series or VM-Series appliances must weigh the operational impact of disabling the captive portal against the exposure risk until vendor patches arrive.

Palo Alto Networks told BleepingComputer it is still working on releasing patches, with the first updates expected to roll out on Wednesday, May 13. That timetable leaves a narrow window in which administrators must apply the vendor's mitigations or isolate vulnerable systems while federal agencies move under CISA's May 9 directive. The combination of a root-privileged RCE, evidence of log tampering and the use of tunneling tools reinforces why Internet-exposed firewalls—instances tracked by Shadowserver in the thousands—are high-value targets for actors that Unit 42 describes as "likely state-sponsored."

Link to the original reporting: https://www.bleepingcomputer.com/news/security/pan-os-firewall-rce-zero-day-exploited-in-attacks-since-april-9/