A critical unpatched buffer overflow flaw in Palo Alto Networks PAN-OS is under active exploitation by a suspected state-sponsored group, granting unauthenticated attackers root access to firewalls and enabling post-exploitation espionage activity.
Palo Alto Networks has confirmed active exploitation of a critical remote code execution (RCE) vulnerability in its PAN-OS operating system, with a suspected state-sponsored threat group using the flaw to gain root access to firewall appliances and conduct cyber espionage. The flaw, tracked as CVE-2026-0300, carries a CVSS score of 9.3 (or 8.7 when adjusted for environmental factors) and affects the User-ID Authentication Portal service in PAN-OS software.
The vulnerability stems from a buffer overflow in the User-ID Authentication Portal service, which allows unauthenticated attackers to execute arbitrary code with root privileges by sending specially crafted network packets. Palo Alto Networks noted that while official patches will begin rolling out on May 13, 2026, customers can apply immediate mitigations to reduce risk. Details on affected PAN-OS versions and patch availability are available in the official Palo Alto Networks security advisory.
The company’s Unit 42 research team, which tracks the activity under the designation CL-STA-1132, said exploitation attempts date back as early as April 9, 2026. Initial attempts to exploit the flaw against a PAN-OS device were unsuccessful, but within a week, attackers had achieved successful RCE and injected shellcode into an nginx worker process running on the appliance.
Unit 42 assesses CL-STA-1132 as a suspected state-sponsored cluster of unknown provenance, though post-exploitation tools recovered from compromised devices align with previous activity from China-nexus hacking groups. After gaining initial access, the attackers took deliberate steps to cover their tracks, clearing crash kernel messages, deleting nginx crash entries and core dump files to evade detection.
By April 29, 2026, the threat actors had moved to conduct Active Directory (AD) enumeration on compromised networks and deployed two additional payloads, EarthWorm and ReverseSocks5, against a second device on the network. EarthWorm is a widely used open-source traffic tunneling tool, while ReverseSocks5 is a SOCKS5 proxy tool, both of which have been documented in previous operations by China-linked threat actors.
“The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) in PAN-OS software. Upon successful exploitation, the attacker was able to inject shellcode into an nginx worker process,” Unit 42 said in its advisory. The team also noted a broader trend of nation-state actors prioritizing edge network devices, including firewalls, routers, IoT hardware, hypervisors and VPN solutions, over the past five years. These devices offer high-privilege access to corporate networks while often lacking the comprehensive logging and security agents deployed on standard endpoint devices.
The CL-STA-1132 group relied on open-source tooling rather than custom malware, a choice that minimizes signature-based detection and allows the tools to blend smoothly into normal environment activity. Combined with a disciplined operational cadence of intermittent interactive sessions spread over multiple weeks, this approach intentionally stays below the behavioral thresholds of most automated alerting systems, making the activity harder to detect.
Palo Alto Networks is urging all PAN-OS customers to take immediate action ahead of the May 13 patch release. First, restrict access to the PAN-OS User-ID Authentication Portal to only trusted zones, such as internal management networks or known administrator IP ranges. If the User-ID Authentication Portal is not required for business operations, disable the service entirely. Customers should also review nginx crash logs, kernel message buffers and core dump directories for signs of tampering or unexpected activity, as these are common indicators of exploitation attempts.
Organizations should scan for the presence of EarthWorm, ReverseSocks5 or other unauthorized tunneling tools on their network, particularly on devices in the demilitarized zone (DMZ) or edge network segments. Unusual Active Directory enumeration activity, especially originating from edge firewall appliances, should also be investigated as a potential sign of compromise.
Customers are advised to monitor the official Palo Alto Networks advisory for CVE-2026-0300 for updates on patch availability for their specific PAN-OS software branch, as well as additional mitigation guidance as it becomes available.
Comments
Please log in or register to join the discussion