Palo Alto Firewall Zero-Day RCE Act Networks Vulnerability
Palo Alto Networks has disclosed a critical zero-day vulnerability affecting its PAN-OS software. A likely state-sponsored threat actor has actively exploited the flaw since at least April 2026, the...
Palo Alto Networks has disclosed a critical zero-day vulnerability affecting its PAN-OS software. A likely state-sponsored threat actor has actively exploited the flaw since at least April 2026, the company confirmed in a security advisory published on May 6, 2026.
Tracked as CVE-2026-0300, the flaw is a buffer overflow vulnerability residing in the User-ID Authentication Portal, also known as the Captive Portal service of PAN-OS, and it allows an unauthenticated remote attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted network packets.
The vulnerability enables unauthenticated remote code execution (RCE) against internet-facing PAN-OS deployments where the User-ID Authentication Portal is exposed to untrusted networks.
Upon successful exploitation, attackers can inject shellcode directly into an nginx worker process, granting them deep, persistent access to the underlying system. Prisma Access, Cloud NGFW, and Panorama appliances are not affected.
Risk is significantly elevated when the Authentication Portal is publicly reachable, making network segmentation and access restriction the most immediate mitigation step.
Palo Alto Networks’ Unit 42 threat intelligence team is tracking exploitation activity under the cluster designation CL-STA-1132, attributed to a likely state-sponsored actor.
The campaign timeline reveals a deliberate, methodical approach beginning April 9, 2026, when unsuccessful exploitation attempts were logged against a PAN-OS device.
One week later, the attackers successfully achieved RCE and injected shellcode. Immediately following the compromise, they conducted aggressive log destruction, clearing crash kernel messages, deleting nginx crash entries and records, and removing crash core dump files to impair forensic detection.
Four days after initial compromise, the attackers deployed multiple tools with root privileges and began Active Directory enumeration using service account credentials harvested from the firewall, targeting the domain root and DomainDnsZones.
Evidence of ptrace injection and SetUserID (SUID) privilege-escalation binaries was subsequently deleted from audit logs to further reduce their footprint.
On April 29, 2026, the attackers executed a SAML flood attack against the first compromised device, causing a secondary device to be promoted to Active status, inheriting the same internet-facing traffic configuration.
RCE was then achieved on this second device by downloading and deploying two open-source tunneling tools.
Earthworm and ReverseSocks5 for Post-Exploitation
The attackers relied exclusively on publicly available tooling rather than on proprietary malware, a deliberate choice that minimized the likelihood of signature-based detection.
EarthWorm, an open-source network tunneling tool written in C supporting Windows, Linux, macOS, and ARM/MIPS platforms, was used to establish covert SOCKS5 proxy tunnels and multi-hop cascaded network paths (MITRE ATT&CK T1090, T1572).
Earthworm has previously been linked to threat clusters including Volt Typhoon, APT41, UAT-8337, and CL-STA-0046.
ReverseSocks5 was used to establish outbound connections from compromised devices to an attacker-controlled controller, bypassing firewall and NAT restrictions to route traffic into the internal network via a SOCKS5 proxy tunnel.
Organizations should take one of the following immediate actions. First, restrict User-ID Authentication Portal access exclusively to trusted internal zones, and disable Response Pages in the Interface Management Profile on any L3 interface reachable from untrusted or internet-facing traffic. Second, if the Authentication Portal is not operationally required, disable it entirely.
Indicators of Compromise
| Indicator | Type | Description |
|---|---|---|
| 67.206.213[.]86 | IP Address | Attacker Infrastructure |
| 136.0.8[.]48 | IP Address | Attacker Infrastructure |
| 146.70.100[.]69 | IP Address | C2 Staging Server |
| 149.104.66[.]84 | IP Address | Attacker Infrastructure |
| hxxp[:]//146.70.100[.]69:8000/php_sess | URL | EarthWorm Download URL |
| hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz | URL | ReverseSocks5 Download URL |
| e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 | SHA-256 Hash | EarthWorm Binary |
| Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0 | User Agent | Attacker User Agent String |
| /var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate | File Path | Tunneling Tool Artifacts |
| /tmp/.c | File Path | Unidentified Python Script |
| /tmp/R5, /var/R5 | File Path | ReverseSocks5 Binary Paths |
[.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.