Palo Alto Networks [CVE-2026-0300] Zero-Day Exploited by State-Sponsored Group
A critical zero-day vulnerability (CVE-2026-0300) in Palo Alto Networks' PAN-OS software, actively exploited by a likely state-sponsored actor since April 2026, allows unauthenticated attackers root privileges on affected firewalls. This buffer overflow flaw, CVSS 9.3 (Critical), targets the User-ID Authentication Portal, enabling remote code execution (RCE) and deep network persistence.
What Happened
Palo Alto Networks disclosed CVE-2026-0300 on May 6, 2026, confirming active exploitation in the wild, as reported by BleepingComputer. The vulnerability is a buffer overflow within the User-ID Authentication Portal (also known as the Captive Portal) of PAN-OS. Attackers use specially crafted packets sent to internet-facing portals to trigger the flaw, gaining unauthenticated RCE with root privileges.
Initial exploitation attempts were detected as early as April 9, 2026, with successful RCE observed around April 16, 2026, according to SecurityWeek. CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) Catalog on May 7, 2026, mandating federal agencies to secure vulnerable systems by May 9, 2026. Palo Alto Networks states that the first patches are expected by May 13, 2026, with a second round estimated for May 28, 2026.
Why It Matters
This vulnerability grants root access to firewalls, which are critical network choke points. Palo Alto Networks attributes the exploitation to CL-STA-1132, a "likely state-sponsored" threat group, indicating a high level of sophistication and espionage objectives. These actors are not looking for a quick smash-and-grab; they are after long-term persistence and intelligence gathering.
Only PA-Series and VM-Series firewalls running PAN-OS are vulnerable, specifically when configured to use the User-ID Authentication Portal and exposed to the public internet or untrusted IP addresses. Cloud NGFW and Panorama appliances are unaffected. Shadowserver observed over 5,400 PAN-OS VM-series firewalls exposed on the internet as of May 7, 2026, with a significant concentration in Asia (2,466) and North America (1,998), per The Hacker News. If you run one of these, you are a target.
Technical Breakdown
The attack chain begins with unauthenticated attackers sending malformed packets to a vulnerable User-ID Authentication Portal. This triggers a buffer overflow, allowing for arbitrary code execution with root privileges. Once root access is achieved, the actor injects shellcode. Immediate post-compromise actions focus on evasion: clearing crash kernel messages, deleting nginx crash entries/records, and removing crash core dump files. This aligns with T1070 Indicator Removal. The group then deploys open-source tunneling tools, specifically Earthworm and ReverseSocks5, demonstrating T1105 Ingress Tool Transfer.
The primary objective appears to be initial access and persistence for espionage. Attackers use the firewall's service account credentials for Active Directory enumeration, leveraging T1078 Valid Accounts. They further clean up their tracks by deleting ptrace injection evidence from audit logs and removing SetUserID (SUID) privilege escalation binaries. Organizations should deploy EDR solutions like CrowdStrike Falcon to detect these post-exploitation behaviors, even when logs are tampered with.
Timely application of patches and vulnerability resolution is critical. Segment vulnerable services and limit public exposure. Tools like Cloudflare Zero Trust can help implement stricter access policies to management interfaces and exposed portals, reducing the attack surface.
Historical Context
This incident closely mirrors the critical zero-day vulnerability CVE-2024-3400 in April 2024, which also affected Palo Alto Networks' GlobalProtect gateway. That flaw, rated CVSS 10.0, was similarly exploited by state-sponsored actors to install backdoors and exfiltrate data. Both incidents involve sophisticated groups targeting internet-facing PAN-OS components for root access and persistence.
The key similarity is the targeting of a perimeter device's public-facing component to gain initial access and establish persistence with high privileges. Both were zero-days, meaning no patch was available at the time of initial exploitation. The difference lies in the specific service targeted (GlobalProtect versus User-ID Authentication Portal) and the exact technical vulnerability type, though the outcome — unauthenticated RCE on the firewall — is strikingly similar. This ongoing pattern suggests these devices are high-value targets for state-sponsored espionage.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| CVSS Score | 9.3 | NVD |
| Affected Firewalls | 5,400+ exposed | The Hacker News |
| Initial Exploitation | April 9, 2026 | SecurityWeek |
| CISA KEV Addition | May 7, 2026 | CISA |
| Days to Patch | 41 days | BleepingComputer (from initial exploit to first patch release) |
Our Take
We're seeing a pattern here. State-sponsored actors are consistently targeting Palo Alto Networks' public-facing services, achieving root on firewalls. It's a clear indicator that these devices, while essential, represent a significant attack surface, especially when configured to expose additional services like User-ID portals to the internet. The speed with which CL-STA-1132 moved from initial attempts to successful RCE and evasion tactics is concerning. We can't rely solely on vendor-issued patches; robust network segmentation, proactive threat hunting, and strict external access controls are non-negotiable.
The CVEDaily Take
This PAN-OS zero-day confirms that even enterprise-grade security appliances require continuous vigilance. The sophistication of the CL-STA-1132 group and their immediate post-compromise cleanup routines demonstrate a persistent, high-end threat to network perimeters. Have you audited all internet-facing services on your network devices, specifically for public exposure of User-ID or Captive portals?
FAQ
Q: Which PAN-OS versions are affected by CVE-2026-0300?
A: Palo Alto Networks' advisory details specific affected versions of PAN-OS for PA-Series and VM-Series firewalls, along with unaffected versions like Cloud NGFW and Panorama appliances. Always check the official advisory for your exact version.
Q: What is the primary mitigation until patches are available for CVE-2026-0300?
A: Palo Alto Networks recommends disabling the User-ID Authentication Portal, ensuring it's not exposed to untrusted IPs or the public internet, or configuring an allow-list of trusted IPs that can access the portal interface. Block the associated IoC IP addresses at your perimeter where possible.
Q: Are there any specific Indicators of Compromise (IoCs) related to this exploitation?
A: Yes, initial reports indicate specific IP addresses associated with malicious activity include 136.144.17[.], 173.239.218[.]251, and 216.73.162[.], as observed by BleepingComputer. Monitor your logs for connections to and from these IPs.
