Palo Alto Networks Patches Critical PAN-OS Zero-Day RCE, Exploited Since April
Key Takeaways Palo Alto Networks has addressed a critical zero-day vulnerability (CVE-2026-0300) in its PAN-OS software. The flaw, a buffer overflow in the User-ID Authentication Portal, enables...
Key Takeaways
- Palo Alto Networks has addressed a critical zero-day vulnerability (CVE-2026-0300) in its PAN-OS software.
- The flaw, a buffer overflow in the User-ID Authentication Portal, enables unauthenticated remote code execution with root privileges.
- Exploitation has been actively occurring since April 2026 by a likely state-sponsored actor.
- PA-Series and VM-Series firewalls are affected, particularly when the Authentication Portal is internet-facing.
- Patches are available, and immediate mitigation steps involve restricting or disabling the affected service.
Palo Alto Networks Patches Critical PAN-OS Zero-Day Under Active Exploitation
Palo Alto Networks has released an urgent security advisory detailing a zero-day vulnerability within its PAN-OS software, which has been under active exploitation by a suspected state-sponsored threat actor since at least April 2026. The critical flaw, identified as CVE-2026-0300, allows for unauthenticated remote code execution (RCE) and impacts PA-Series and VM-Series firewalls.
Table Of Content
Technical Details of CVE-2026-0300
The vulnerability stems from a buffer overflow within the User-ID Authentication Portal, also known as the Captive Portal service, of PAN-OS. An attacker can exploit this by sending specially crafted network packets to an affected device, thereby achieving root-level code execution without requiring any authentication. The risk is particularly severe for deployments where the User-ID Authentication Portal is directly exposed to untrusted external networks.
Successful exploitation allows attackers to inject shellcode directly into an Nginx worker process, granting them persistent and deep access to the underlying system. Palo Alto Networks clarifies that its Prisma Access, Cloud NGFW, and Panorama appliances are not susceptible to this specific vulnerability.
Campaign Timeline and Attacker Tactics
Palo Alto Networks’ Unit 42 threat intelligence team has been tracking the exploitation under the cluster designation CL-STA-1132, attributing it to a likely state-sponsored entity. The campaign demonstrated a meticulous approach, beginning with initial, unsuccessful exploitation attempts logged on April 9, 2026.
Within a week, attackers successfully achieved RCE and injected shellcode. Immediately following compromise, the threat actor engaged in aggressive forensic countermeasures, systematically deleting kernel crash messages, Nginx crash entries, and core dump files to obscure their presence. Four days after initial compromise, they deployed multiple tools with root privileges and initiated Active Directory enumeration, leveraging service account credentials harvested from the firewall to target the domain root and DomainDnsZones. Further efforts to reduce their footprint included deleting audit logs related to ptrace injection and SetUserID (SUID) privilege-escalation binaries.
On April 29, 2026, the attackers executed a SAML flood attack against the initially compromised device. This action caused a secondary device to assume an active role, inheriting the same internet-facing traffic configuration. Subsequently, RCE was achieved on this second device through the deployment of two open-source tunneling tools.
Post-Exploitation Tooling: Earthworm and ReverseSocks5
The attackers notably relied exclusively on publicly available tools, a strategic choice that likely aimed to minimize detection via signature-based security measures. Two primary tools were identified:
- EarthWorm: This open-source network tunneling tool, written in C, supports various platforms including Windows, Linux, macOS, and ARM/MIPS. It was utilized to establish covert SOCKS5 proxy tunnels and multi-hop cascaded network paths (MITRE ATT&CK T1090, T1572). Earthworm has previously been associated with other notable threat clusters, such as Volt Typhoon, APT41, UAT-8337, and CL-STA-0046.
- ReverseSocks5: This tool facilitated the establishment of outbound connections from compromised devices to an attacker-controlled command and control (C2) server. It effectively bypassed firewall and NAT restrictions, enabling the routing of traffic into the internal network via a SOCKS5 proxy tunnel.
Indicators of Compromise
Organizations should review their network logs and security telemetry for the following indicators of compromise (IoCs):
| Indicator | Type | Description |
|---|---|---|
| 67.206.213[.]86 | IP Address | Attacker Infrastructure |
| 136.0.8[.]48 | IP Address | Attacker Infrastructure |
| 146.70.100[.]69 | IP Address | C2 Staging Server |
| 149.104.66[.]84 | IP Address | Attacker Infrastructure |
| hxxp[:]//146.70.100[.]69:8000/php_sess | URL | EarthWorm Download URL |
| hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz | URL | ReverseSocks5 Download URL |
| e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 | SHA-256 Hash | EarthWorm Binary |
| Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0 | User Agent | Attacker User Agent String |
| /var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate | File Path | Tunneling Tool Artifacts |
| /tmp/.c | File Path | Unidentified Python Script |
| /tmp/R5, /var/R5 | File Path | ReverseSocks5 Binary Paths |
What You Should Do
- Apply Patches Immediately: Update your PAN-OS software to the latest patched versions as soon as they become available from Palo Alto Networks.
- Restrict Access to User-ID Authentication Portal: Limit access to the User-ID Authentication Portal to trusted internal network zones only.
- Disable Response Pages: On any L3 interface reachable from untrusted or internet-facing traffic, disable Response Pages within the Interface Management Profile.
- Disable the Authentication Portal: If the User-ID Authentication Portal is not an operational necessity for your environment, disable it entirely.
- Monitor for IoCs: Actively scan network traffic and system logs for the provided Indicators of Compromise (IoCs) to detect any signs of past or ongoing compromise.
- Review Firewall Configurations: Ensure that your firewall rules enforce strict network segmentation, particularly for management interfaces and critical services.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.