Nation-state actors exploit Palo Alto PAN-OS zero-day for weeks
May 07, 2026 
Palo Alto says hackers exploited PAN-OS zero-day CVE-2026-0300 for weeks, gaining root access to exposed firewalls and hiding traces.
Palo Alto Networks warned that suspected state-sponsored hackers have been exploiting the critical PAN-OS zero-day CVE-2026-0300 for nearly a month. After exploiting the flaw, attackers deployed tunneling tools such as EarthWorm and ReverseSocks5, used stolen credentials to probe Active Directory, and deleted logs and other evidence to hide the intrusion.
“We are aware of only limited exploitation of CVE-2026-0300 at this time. Unit 42 is tracking CL-STA-1132, a cluster of likely state-sponsored threat activity exploiting CVE-2026-0300. The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) in PAN-OS software. Upon successful exploitation, the attacker was able to inject shellcode into an nginx worker process.” reads the advisory by the cybersecurity vendor. “Post-exploitation activity includes deployment of publicly available tunneling tools (EarthWorm, ReverseSocks5), Active Directory enumeration using credentials likely obtained from the firewall, and the systematic destruction of logs and other evidence of compromise.”
EarthWorm has been used in past attacks associated with several China-linked threat actors, including , APT41, CL-STA-0046, and Volt Typhoon.
The flaw is a buffer overflow that allows unauthenticated remote code execution, especially when the User-ID portal is exposed to the internet.
“A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.” reads the advisory published by Palo Alto Networks. “The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines by restricting access to only trusted internal IP addresses.”
This week, Palo Alto Networks has warned that the critical PAN-OS vulnerability CVE-2026-0300 is actively exploited in the wild.
Below is the list of impacted products:
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 12.1 | < 12.1.4-h5 < 12.1.7 |
>= 12.1.4-h5 (ETA: 05/13) >= 12.1.7 (ETA: 05/28) |
| PAN-OS 11.2 | < 11.2.4-h17 < 11.2.7-h13 < 11.2.10-h6 < 11.2.12 |
>= 11.2.4-h17 (ETA: 05/28) >= 11.2.7-h13 (ETA: 05/13) >= 11.2.10-h6 (ETA: 05/13) >= 11.2.12 (ETA: 05/28) |
| PAN-OS 11.1 | < 11.1.4-h33 < 11.1.6-h32 < 11.1.7-h6 < 11.1.10-h25 < 11.1.13-h5 < 11.1.15 |
>= 11.1.4-h33 (ETA: 05/13) >= 11.1.6-h32 (ETA: 05/13) >= 11.1.7-h6 (ETA: 05/28) >= 11.1.10-h25 (ETA: 05/13) >= 11.1.13-h5 (ETA: 05/13) >= 11.1.15 (ETA: 05/28) |
| PAN-OS 10.2 | < 10.2.7-h34 < 10.2.10-h36 < 10.2.13-h21 < 10.2.16-h7 < 10.2.18-h6 |
>= 10.2.7-h34 (ETA: 05/28) >= 10.2.10-h36 (ETA: 05/13) >= 10.2.13-h21 (ETA: 05/28) >= 10.2.16-h7 (ETA: 05/28) >= 10.2.18-h6 (ETA: 05/13) |
| Prisma Access | None | All |
The cybersecurity vendor states that the issue doesn’t impact Prisma Access, Cloud NGFW and Panorama appliances.
Palo Alto Networks says the flaw is being exploited in a limited way, mainly against systems where the User-ID Authentication Portal is exposed to the public internet.
The flaw remains unpatched, with fixes expected from May 13, 2026. It affects PA-Series and VM-Series firewalls using the User-ID Authentication Portal. Palo Alto Networks notes risk is much lower for organizations that follow best practices, like limiting access to trusted internal networks only.
“Limited exploitation has been observed targeting Palo Alto Networks User-ID™ Authentication Portals that are exposed to untrusted IP addresses and/or the public internet.” concludes the advisory. “Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks are at a greatly reduced risk.”
EarthWorm is an open-source tunneling tool written in C that works across Windows, Linux, macOS, and ARM/MIPS platforms. It acts as a SOCKS5 proxy and port-forwarding utility, enabling attackers to create covert communication channels, bypass network restrictions, and move laterally within compromised environments. Its features include forward and reverse SOCKS5 tunnels, port bridging, traffic forwarding, and multi-hop tunneling for protocols such as RDP and SSH. The tool has previously been linked to threat groups including Volt Typhoon and APT41.
ReverseSocks5 is another open-source networking tool designed to bypass firewalls and NAT protections by creating outbound connections from compromised systems to attacker-controlled servers. Once connected, it establishes a SOCKS5 proxy tunnel that allows remote access into the internal network. While commonly used by administrators for legitimate remote management, threat actors also abuse it for stealthy pivoting and post-compromise operations.
“The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration. This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems.” concludes Palo Alto Networks. “The lateral movement technique prioritized identity trust abuse over traditional network-layer pivoting, effectively reducing the attacker’s footprint. Consequently, this campaign demonstrates that operational restraint—specifically the use of non-persistent access windows—is a primary factor in maintaining long-term residency on edge infrastructure.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, PAN-OS)
Stephan is the sports journalist for the Maple Grove Report.
