State-Sponsored Actors Exploit Critical PAN-OS Zero-Day (CVE-2026-0300) for Remote Code Execution

Executive Summary

On May 6, 2026, Palo Alto Networks disclosed a critical zero-day vulnerability, CVE-2026-0300, affecting its PAN-OS software. The vulnerability is a buffer overflow in the User-ID™ Authentication Portal (Captive Portal) service that allows an unauthenticated attacker to achieve remote code execution (RCE) with root privileges on affected firewalls.

Unit 42 has observed active, albeit limited, exploitation of this vulnerability in the wild by a likely state-sponsored threat actor tracked as CL-STA-1132. The actor's campaign demonstrates a high level of sophistication, leveraging the exploit for initial access, followed by the deployment of open-source tools for persistence and lateral movement, and concluding with thorough evidence destruction. Given the criticality of the vulnerability and its position on the network edge, organizations using affected PAN-OS versions are urged to apply patches or implement mitigations immediately.

Vulnerability Details

CVE-2026-0300 is a buffer overflow vulnerability residing in the Captive Portal service of PAN-OS. An unauthenticated attacker on the network can send specially crafted packets to a vulnerable firewall's Captive Portal interface. Successful exploitation overflows a buffer in an nginx worker process, allowing the attacker to inject and execute arbitrary shellcode.

Critically, the code execution occurs with root privileges, granting the attacker complete control over the compromised firewall appliance. The attack does not require any user interaction or prior authentication, making it a wormable threat, although no such activity has been observed yet. The vulnerability affects the firewall's control plane and can be exploited by any attacker with network access to the exposed Captive Portal service.

Affected Systems

The vulnerability impacts the following Palo Alto Networks products when the User-ID Authentication Portal (Captive Portal) is enabled:

• PA-Series Firewalls (hardware)
• VM-Series Firewalls (virtualized)

According to Palo Alto Networks, the following products are NOT affected:

• Prisma Access
• Cloud NGFW
• Panorama appliances

The primary risk factor is the exposure of the User-ID Authentication Portal to the internet or other untrusted networks. Systems configured according to best practices, where the portal is only accessible from trusted internal networks, have a significantly reduced risk profile.

Exploitation Status

Unit 42 reports that a threat actor cluster, CL-STA-1132, began attempting to exploit this vulnerability as a zero-day starting on April 9, 2026. Successful RCE was achieved approximately a week later. The activity is described as limited and targeted, consistent with cyber espionage operations conducted by a nation-state actor.

The attack timeline indicates a methodical approach:

1. Initial Access: The actor exploited CVE-2026-0300 to gain root-level RCE.
2. Defense Evasion: Immediately after compromise, the actor cleared crash logs, deleted nginx crash records, and removed core dump files to hide their tracks.
3. Staging & Persistence: Days later, the actor deployed tunneling tools, including EarthWorm and ReverseSocks5, to establish persistent C2 channels.
4. Discovery & Lateral Movement: The actor used credentials obtained from the firewall to perform Active Directory enumeration and later conducted a SAML flood to force a failover and compromise a second device.

Impact Assessment

The impact of exploiting CVE-2026-0300 is severe. A compromised edge firewall represents a total failure of the network perimeter's integrity. As a root-level compromise, the attacker gains:

• Complete Control: The ability to monitor, modify, or drop all traffic passing through the firewall.
• Credential Access: Potential access to sensitive credentials stored on the device, such as service account passwords for AD integration, RADIUS secrets, or VPN keys.
• Pivoting Point: A trusted, persistent foothold within the network from which to launch further attacks, move laterally, and exfiltrate data.
• Stealth: The ability to disable logging or manipulate logs on the firewall itself, making detection of subsequent activities extremely difficult.

Given that the attackers are using this access to enumerate Active Directory, the ultimate goal is likely widespread internal compromise and data exfiltration, aligning with the objectives of state-sponsored espionage campaigns.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were provided in the source article.

Cyber Observables — Hunting Hints

The following patterns could indicate related activity and may be useful for threat hunting:

Detection & Response

Security teams should prioritize both detection and response actions:

1. Apply Threat Prevention Signatures: Customers with an Advanced Threat Prevention subscription should enable Threat ID 510019 (requires content version 9097-10022 and PAN-OS 11.1 or later) to block exploitation attempts.
2. Analyze Firewall Logs: Review system, traffic, and User-ID logs for signs of compromise. Look for unexplained reboots, log gaps, or connections from the firewall to unusual external IP addresses. Use the Network Traffic Analysis (D3-NTA) technique to baseline normal traffic and identify anomalies.
3. Monitor Internal Network: Scrutinize logs from Domain Controllers for unusual LDAP or DNS queries originating from the firewall's service account. This could indicate successful compromise and lateral movement attempts. This aligns with D3FEND's Domain Account Monitoring (D3-DAM).
4. Utilize Xpanse: Cortex Xpanse can be used to identify internet-exposed instances of the User-ID Authentication Portal that are potentially vulnerable.

If a compromise is suspected, organizations should consider engaging an incident response team to determine the extent of the breach and perform full remediation.

Mitigation

Palo Alto Networks strongly recommends applying the security updates immediately. If patching is not immediately possible, the following workarounds can mitigate the risk:

• Restrict Access (Primary Mitigation): The most effective mitigation is to adhere to the best practice of restricting access to the Captive Portal. Configure security policies to ensure the User-ID Authentication Portal interface is only accessible from trusted, internal network zones. It should not be exposed to the internet. This is an application of MITRE ATT&CK Mitigation M1035 - Limit Access to Resource Over Network.
• Temporary Disablement: If not in use, disable the User-ID Authentication Portal entirely.

Long-term strategic mitigations include:

• Network Segmentation: Implement robust network segmentation (M1030 - Network Segmentation) to limit the blast radius of a compromised edge device, preventing an attacker from easily moving laterally into critical internal segments.
• Egress Filtering: Enforce strict egress traffic filtering (M1037 - Filter Network Traffic) to block outbound connections from the firewall and other critical infrastructure to unauthorized destinations, which could disrupt C2 channels established by tools like EarthWorm.