Critical Zero-Day Vulnerability in Palo Alto Networks Firewalls Exploited by State-Sponsored Hackers
In a recent security advisory dated May 6, 2026, Palo Alto Networks disclosed that a critical zero-day vulnerability, identified as CVE-2026-0300, has been actively exploited by state-sponsored threat actors since at least April 2026. This buffer overflow flaw resides in the User-ID Authentication Portal, also known as the Captive Portal service, within the PAN-OS software. It enables unauthenticated remote attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted network packets.
The vulnerability poses a significant risk, particularly when the Authentication Portal is exposed to untrusted networks. Upon successful exploitation, attackers can inject shellcode directly into an nginx worker process, granting them deep, persistent access to the underlying system. Notably, Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this flaw.
Attack Timeline and Methodology
Palo Alto Networks’ Unit 42 threat intelligence team has been monitoring this exploitation activity under the cluster designation CL-STA-1132, attributing it to a likely state-sponsored actor. The attack timeline reveals a methodical approach:
– April 9, 2026: Initial unsuccessful exploitation attempts were logged against a PAN-OS device.
– April 16, 2026: Attackers achieved remote code execution (RCE) and injected shellcode. Following the compromise, they conducted aggressive log destruction, including clearing crash kernel messages, deleting nginx crash entries, and removing crash core dump files to impair forensic detection.
– April 20, 2026: The attackers deployed multiple tools with root privileges and began Active Directory enumeration using service account credentials harvested from the firewall, targeting the domain root and DomainDnsZones. Evidence of ptrace injection and SetUserID (SUID) privilege-escalation binaries was subsequently deleted from audit logs to further reduce their footprint.
– April 29, 2026: A SAML flood attack was executed against the first compromised device, causing a secondary device to be promoted to Active status, inheriting the same internet-facing traffic configuration. RCE was then achieved on this second device by downloading and deploying two open-source tunneling tools.
Post-Exploitation Tools: Earthworm and ReverseSocks5
The attackers utilized publicly available tools to minimize the likelihood of signature-based detection:
– Earthworm: An open-source network tunneling tool written in C, supporting Windows, Linux, macOS, and ARM/MIPS platforms. It was used to establish covert SOCKS5 proxy tunnels and multi-hop cascaded network paths. Earthworm has previously been linked to threat clusters including Volt Typhoon, APT41, UAT-8337, and CL-STA-0046.
– ReverseSocks5: This tool was employed to establish outbound connections from compromised devices to an attacker-controlled controller, bypassing firewall and NAT restrictions to route traffic into the internal network.
Mitigation Measures and Recommendations
Palo Alto Networks is actively working on security patches for CVE-2026-0300, with the first round of patches scheduled for release on May 13, 2026, and the second on May 28, 2026. In the interim, the company advises customers to take the following immediate actions:
1. Disable the User-ID Authentication Portal: If this service is not required, disabling it will eliminate the attack vector.
2. Restrict Access: Limit access to the Authentication Portal to trusted zones only, ensuring it is not exposed to untrusted networks.
3. Disable Response Pages: In the Interface Management Profile attached to every Layer 3 interface in any zone where untrusted or internet traffic can ingress, disable Response Pages to reduce the attack surface.
These measures are crucial to mitigate the risk posed by this vulnerability until official patches are applied.
Conclusion
The exploitation of CVE-2026-0300 underscores the persistent threat posed by state-sponsored actors targeting critical infrastructure. Organizations utilizing Palo Alto Networks firewalls must act swiftly to implement the recommended mitigations and prepare for the forthcoming patches. Maintaining vigilance and adhering to best practices in network security are essential to defend against such sophisticated attacks.
