{"id":242660,"date":"2026-05-07T11:31:00","date_gmt":"2026-05-07T15:31:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/07\/palo-alto-zero-day-exploited-in-campaign-bearing-hallmarks-of-chinese-state-hacking\/"},"modified":"2026-05-09T20:15:14","modified_gmt":"2026-05-10T00:15:14","slug":"palo-alto-zero-day-exploited-in-campaign-bearing-hallmarks-of-chinese-state-hacking","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/07\/palo-alto-zero-day-exploited-in-campaign-bearing-hallmarks-of-chinese-state-hacking\/","title":{"rendered":"Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking"},"content":{"rendered":"<p><a href=\"https:\/\/www.securityweek.com\/palo-alto-zero-day-exploited-in-campaign-bearing-hallmarks-of-chinese-state-hacking\/\">Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking<\/a><\/p>\n<p><a href=\"https:\/\/www.securityweek.com\/palo-alto-zero-day-exploited-in-campaign-bearing-hallmarks-of-chinese-state-hacking\/\">https:\/\/www.securityweek.com\/palo-alto-zero-day-exploited-in-campaign-bearing-hallmarks-of-chinese-state-hacking\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-07 11:31:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.securityweek.com\">www.securityweek.com<\/a><\/p>\n<p><strong>Palo Alto Networks has shared some information on the exploitation of the recently disclosed zero-day vulnerability affecting some of its firewalls. The cybersecurity firm has not directly attributed the attack to a specific threat actor or country, but the evidence seems to point to China.<\/strong><\/p>\n<p>In an advisory published on May 6, Palo Alto Networks informed customers about CVE-2026-0300, a vulnerability affecting the User-ID Authentication Portal of PA and VM series firewalls.\u00a0<\/p>\n<p>The company said the flaw, which allows unauthenticated remote code execution with root privileges, had been exploited as a zero-day.\u00a0<\/p>\n<p>Patches are expected to be released on May 13 and May 28, and in the meantime the company has shared mitigations and workarounds to prevent exploitation.\u00a0<\/p>\n<p>Shortly after CVE-2026-0300 was disclosed, Palo Alto Networks published a blog post describing the vulnerability\u2019s exploitation in the wild.\u00a0<\/p>\n<p>According to the company, a \u201clikely state-sponsored\u201d threat group tracked as CL-STA-1132 was behind the attack. First exploitation attempts were observed on April 9, but were unsuccessful. The vulnerability was successfully leveraged one week later for remote code execution and Nginx worker process shellcode injection.<\/p>\n<p><span class=\"zox-ad-label\">Advertisement. Scroll to continue reading.<\/span><\/p>\n<p>\u201cFollowing the compromise, the attackers immediately conducted log cleanup to mitigate detection by clearing crash kernel messages, deleting nginx crash entries and nginx crash records, as well as removing crash core dump files,\u201d Palo Alto explained.<\/p>\n<p>\u201cThe attackers deployed a number of tools with root privileges four days later, before conducting Active Directory (AD) enumeration using the firewall\u2019s service account credentials to target domain root and DomainDnsZones. Following enumeration, the attackers deleted ptrace injection evidence from the audit log and deleted the SetUserID (SUID) privilege escalation binary,\u201d it added.<\/p>\n<p>The attackers deployed the open source&#8230;<\/p>\n<p><a href=\"https:\/\/www.securityweek.com\/palo-alto-zero-day-exploited-in-campaign-bearing-hallmarks-of-chinese-state-hacking\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking https:\/\/www.securityweek.com\/palo-alto-zero-day-exploited-in-campaign-bearing-hallmarks-of-chinese-state-hacking\/ Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":242661,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.securityweek.com\/wp-content\/uploads\/2024\/11\/Palo-Alto-Networks-zero-day.jpeg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,34,27],"class_list":["post-242660","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242660"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=242660"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242660\/revisions"}],"predecessor-version":[{"id":242662,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242660\/revisions\/242662"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/242661"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=242660"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=242660"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=242660"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}