Nation-state actors exploit Palo Alto PAN-OS zero-day for weeks
Nation-state actors exploit Palo Alto PAN-OS zero-day for weeks
Publish Date: 2026-05-07 17:07:00
Source Domain: securityaffairs.com
Nation-state actors exploit Palo Alto PAN-OS zero-day for weeks
Pierluigi Paganini
May 07, 2026
Palo Alto says hackers exploited PAN-OS zero-day CVE-2026-0300 for weeks, gaining root access to exposed firewalls and hiding traces.
Palo Alto Networks warned that suspected state-sponsored hackers have been exploiting the critical PAN-OS zero-day CVE-2026-0300 for nearly a month. After exploiting the flaw, attackers deployed tunneling tools such as EarthWorm and ReverseSocks5, used stolen credentials to probe Active Directory, and deleted logs and other evidence to hide the intrusion.
“We are aware of only limited exploitation of CVE-2026-0300 at this time. Unit 42 is tracking CL-STA-1132, a cluster of likely state-sponsored threat activity exploiting CVE-2026-0300. The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) in PAN-OS software. Upon successful exploitation, the attacker was able to inject shellcode into an nginx worker process.” reads the advisory by the cybersecurity vendor. “Post-exploitation activity includes deployment of publicly available tunneling tools (EarthWorm, ReverseSocks5), Active Directory enumeration using credentials likely obtained from the firewall, and the systematic destruction of logs and other evidence of compromise.”
EarthWorm has been used in past attacks associated with several China-linked threat actors, including , APT41, CL-STA-0046, and Volt Typhoon.
The flaw is a buffer overflow that allows unauthenticated remote code execution, especially when the User-ID portal is exposed to the internet.
“A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted…
