Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical MacSync Stealer Delivered via Google Ads and Claude AI Chats
July 15, 2026
GPT-5.6 Sol Ultra AI Creates Full Chrome Exploit Chain from Patches
July 15, 2026
Critical Cursor RCE: CVE-2024-XXXXX lets Git repos auto-execute code
July 15, 2026
Home/CyberSecurity News/Palo Alto Networks Patches Critical PAN-OS Zero-Day RCE, Exploited Since April
CyberSecurity News

Palo Alto Networks Patches Critical PAN-OS Zero-Day RCE, Exploited Since April

Key Takeaways Palo Alto Networks has addressed a critical zero-day vulnerability (CVE-2026-0300) in its PAN-OS software. The flaw, a buffer overflow in the User-ID Authentication Portal, enables...

Jennifer sherman
Jennifer sherman
May 7, 2026 4 Min Read
67 0

Key Takeaways

  • Palo Alto Networks has addressed a critical zero-day vulnerability (CVE-2026-0300) in its PAN-OS software.
  • The flaw, a buffer overflow in the User-ID Authentication Portal, enables unauthenticated remote code execution with root privileges.
  • Exploitation has been actively occurring since April 2026 by a likely state-sponsored actor.
  • PA-Series and VM-Series firewalls are affected, particularly when the Authentication Portal is internet-facing.
  • Patches are available, and immediate mitigation steps involve restricting or disabling the affected service.

Palo Alto Networks Patches Critical PAN-OS Zero-Day Under Active Exploitation

Palo Alto Networks has released an urgent security advisory detailing a zero-day vulnerability within its PAN-OS software, which has been under active exploitation by a suspected state-sponsored threat actor since at least April 2026. The critical flaw, identified as CVE-2026-0300, allows for unauthenticated remote code execution (RCE) and impacts PA-Series and VM-Series firewalls.

Table Of Content

  • Key Takeaways
  • Palo Alto Networks Patches Critical PAN-OS Zero-Day Under Active Exploitation
  • Technical Details of CVE-2026-0300
  • Campaign Timeline and Attacker Tactics
  • Post-Exploitation Tooling: Earthworm and ReverseSocks5
  • Indicators of Compromise
  • What You Should Do

Technical Details of CVE-2026-0300

The vulnerability stems from a buffer overflow within the User-ID Authentication Portal, also known as the Captive Portal service, of PAN-OS. An attacker can exploit this by sending specially crafted network packets to an affected device, thereby achieving root-level code execution without requiring any authentication. The risk is particularly severe for deployments where the User-ID Authentication Portal is directly exposed to untrusted external networks.

Successful exploitation allows attackers to inject shellcode directly into an Nginx worker process, granting them persistent and deep access to the underlying system. Palo Alto Networks clarifies that its Prisma Access, Cloud NGFW, and Panorama appliances are not susceptible to this specific vulnerability.

Campaign Timeline and Attacker Tactics

Palo Alto Networks’ Unit 42 threat intelligence team has been tracking the exploitation under the cluster designation CL-STA-1132, attributing it to a likely state-sponsored entity. The campaign demonstrated a meticulous approach, beginning with initial, unsuccessful exploitation attempts logged on April 9, 2026.

Within a week, attackers successfully achieved RCE and injected shellcode. Immediately following compromise, the threat actor engaged in aggressive forensic countermeasures, systematically deleting kernel crash messages, Nginx crash entries, and core dump files to obscure their presence. Four days after initial compromise, they deployed multiple tools with root privileges and initiated Active Directory enumeration, leveraging service account credentials harvested from the firewall to target the domain root and DomainDnsZones. Further efforts to reduce their footprint included deleting audit logs related to ptrace injection and SetUserID (SUID) privilege-escalation binaries.

On April 29, 2026, the attackers executed a SAML flood attack against the initially compromised device. This action caused a secondary device to assume an active role, inheriting the same internet-facing traffic configuration. Subsequently, RCE was achieved on this second device through the deployment of two open-source tunneling tools.

Post-Exploitation Tooling: Earthworm and ReverseSocks5

The attackers notably relied exclusively on publicly available tools, a strategic choice that likely aimed to minimize detection via signature-based security measures. Two primary tools were identified:

  • EarthWorm: This open-source network tunneling tool, written in C, supports various platforms including Windows, Linux, macOS, and ARM/MIPS. It was utilized to establish covert SOCKS5 proxy tunnels and multi-hop cascaded network paths (MITRE ATT&CK T1090, T1572). Earthworm has previously been associated with other notable threat clusters, such as Volt Typhoon, APT41, UAT-8337, and CL-STA-0046.
  • ReverseSocks5: This tool facilitated the establishment of outbound connections from compromised devices to an attacker-controlled command and control (C2) server. It effectively bypassed firewall and NAT restrictions, enabling the routing of traffic into the internal network via a SOCKS5 proxy tunnel.

Indicators of Compromise

Organizations should review their network logs and security telemetry for the following indicators of compromise (IoCs):

Indicator Type Description
67.206.213[.]86 IP Address Attacker Infrastructure
136.0.8[.]48 IP Address Attacker Infrastructure
146.70.100[.]69 IP Address C2 Staging Server
149.104.66[.]84 IP Address Attacker Infrastructure
hxxp[:]//146.70.100[.]69:8000/php_sess URL EarthWorm Download URL
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz URL ReverseSocks5 Download URL
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 SHA-256 Hash EarthWorm Binary
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0 User Agent Attacker User Agent String
/var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate File Path Tunneling Tool Artifacts
/tmp/.c File Path Unidentified Python Script
/tmp/R5, /var/R5 File Path ReverseSocks5 Binary Paths

What You Should Do

  • Apply Patches Immediately: Update your PAN-OS software to the latest patched versions as soon as they become available from Palo Alto Networks.
  • Restrict Access to User-ID Authentication Portal: Limit access to the User-ID Authentication Portal to trusted internal network zones only.
  • Disable Response Pages: On any L3 interface reachable from untrusted or internet-facing traffic, disable Response Pages within the Interface Management Profile.
  • Disable the Authentication Portal: If the User-ID Authentication Portal is not an operational necessity for your environment, disable it entirely.
  • Monitor for IoCs: Actively scan network traffic and system logs for the provided Indicators of Compromise (IoCs) to detect any signs of past or ongoing compromise.
  • Review Firewall Configurations: Ensure that your firewall rules enforce strict network segmentation, particularly for management interfaces and critical services.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitMalwareSecurityThreatVulnerabilityzero-day

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical Redis Vulnerabilities Let Attackers Execute Remote Code

Next Post

Scammers Evade Call Blocking with VoIP Numbers and Windows Reuse

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Dell PowerProtect flaws let attackers gain full system access
July 15, 2026
Microsoft Confirms Dell Laptop Overheating, Shutdowns After July Windows Update
July 15, 2026
FaceTime Call Impersonation Fraud Hijacks Bank Accounts
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us