Nation‑State Adversaries Conduct Extended Attacks Using PAN‑OS Zero‑Day Vulnerability

Palo Alto Networks has disclosed that a critical zero‑day vulnerability in PAN‑OS (CVE‑2026‑0300) has been actively exploited by suspected state‑sponsored actors over several weeks, enabling attackers to gain root access to exposed firewall systems while carefully erasing evidence of compromise.

According to Palo Alto’s Unit 42 threat intelligence team, the activity tracked as CL‑STA‑1132 involves attackers leveraging the flaw to achieve unauthenticated remote code execution (RCE). Once exploited, adversaries inject malicious shellcode into an nginx worker process, granting them full control of the affected firewall without needing valid credentials.

Although the vendor describes the exploitation as relatively limited, the campaign has been ongoing for nearly a month, with attackers demonstrating disciplined and stealth‑focused tradecraft.

Post‑exploitation activity

After gaining access, the attackers move quickly to establish persistence and expand their footprint. This includes deploying widely available tunneling utilities such as EarthWorm and ReverseSocks5, which allow them to maintain covert communications and pivot deeper into internal networks.

The threat actors also leverage credentials likely harvested from the compromised firewall to conduct Active Directory reconnaissance, mapping the victim environment and identifying additional systems. To minimize detection, they systematically remove logs and other forensic artifacts, significantly reducing visibility for defenders.

Notably, EarthWorm has previously been observed in campaigns linked to China‑associated threat groups, including APT41, Volt Typhoon, and CL‑STA‑0046, suggesting possible alignment with similar operational tactics.

Root cause of the vulnerability

CVE‑2026‑0300 stems from a buffer overflow flaw in the User‑ID Authentication Portal (also referred to as the Captive Portal) within PAN‑OS. By sending specially crafted packets to the exposed service, an attacker can execute arbitrary code with root‑level privileges.

The risk is significantly elevated in environments where the User‑ID portal is accessible from the public internet. Palo Alto emphasizes that restricting access to trusted internal IP ranges dramatically reduces exposure.

Impacted and unaffected platforms

The vulnerability affects PA‑Series and VM‑Series firewalls running vulnerable PAN‑OS versions. Multiple patch releases are scheduled across supported versions, including PAN‑OS 12.1, 11.2, 11.1, and 10.2, with fixes rolling out between May 13 and May 28, 2026, depending on the version.

Importantly, the company confirmed that the issue does not impact Prisma Access, Cloud NGFW, or Panorama appliances.

Active exploitation status

Palo Alto has confirmed that the flaw is currently being exploited in real‑world attacks, primarily targeting systems where the User‑ID Authentication Portal is exposed externally. While the scope of attacks remains limited, the nature of the vulnerability and its ease of exploitation make it a high‑risk issue.

The company reiterated that organizations following security best practices especially restricting access to sensitive management interfaces are far less likely to be affected.

Tools used in the campaign

The attackers rely heavily on open‑source tools, which helps them blend into legitimate network activity and avoid detection:

• EarthWorm: A cross‑platform tunneling tool written in C that functions as a SOCKS5 proxy and port‑forwarding utility. It enables covert communication, traffic forwarding, and multi‑hop tunneling, often supporting lateral movement across networks using protocols such as SSH and RDP.

• ReverseSocks5: A tool designed to bypass firewalls and NAT restrictions by establishing outbound connections from compromised systems to attacker‑controlled servers. Once connected, it creates a SOCKS5 tunnel that allows adversaries to access internal systems remotely.

Although both tools can be used for legitimate administrative purposes, they are frequently abused in advanced attacks for stealthy post‑compromise operations.

Operational tactics and stealth

Palo Alto highlighted that the attackers behind CL‑STA‑1132 demonstrated a low‑noise, highly controlled approach. Instead of maintaining constant access, they operated in short, intermittent sessions over several weeks, reducing the likelihood of triggering automated detection systems.

Additionally, the attackers prioritized credential‑based lateral movement, leveraging trusted identities rather than exploiting network vulnerabilities. This approach minimizes detectable anomalies and further reduces their operational footprint.

The use of open‑source tools instead of custom malware also allowed the attackers to evade signature‑based defenses and integrate seamlessly into victim environments.

Key takeaway

This campaign highlights a critical shift in advanced threat behavior:

• Exploiting edge infrastructure vulnerabilities for initial access
• Leveraging legitimate or open‑source tools to evade detection
• Maintaining stealth through limited, disciplined activity patterns
• Relying on credential abuse rather than noisy exploitation techniques

Organizations are strongly advised to:

• Restrict access to User‑ID Authentication Portals
• Apply patches immediately when available
• Monitor for unusual outbound connections and unauthorized tunneling activity
• Review logs (where available) for signs of tampering or deletion

Overall, CVE‑2026‑0300 represents a high‑impact vulnerability that underscores the importance of securing externally exposed services and maintaining strong visibility across critical infrastructure.