Palo Alto firewall zero-day exploited for weeks

Suspected state-sponsored threat actors have been exploiting a critical PAN-OS firewall zero-day vulnerability for nearly a month, Palo Alto Networks confirmed this week. The security flaw, tracked as CVE-2026-0300, resides in the User-ID Authentication Portal (also called the Captive Portal) and enables unauthenticated attackers to achieve remote code execution with root privileges on internet-exposed PA-Series and VM-Series firewalls.

The vulnerability stems from a buffer overflow condition in PAN-OS software. Palo Alto’s threat intelligence unit, Unit 42, is tracking the activity under CL-STA-1132, describing it as a cluster of likely state-sponsored threat activity. “The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) in PAN-OS software,” the company stated.

According to the advisory, the first unsuccessful exploitation attempts began on April 9, 2026. One week later, attackers successfully achieved RCE against a PAN-OS device and injected shellcode. Immediately after compromise, they conducted log cleanup to evade detection, clearing crash kernel messages, deleting nginx crash entries and records, and removing crash core dump files.

Once inside, the attackers deployed two open-source network tunneling tools: Earthworm and ReverseSocks5. Earthworm enables covert communication across restricted networks, while ReverseSocks5 allows attackers to bypass NAT and firewalls by initiating an outbound connection from the target machine to a controller. EarthWorm has previously been linked to Chinese-speaking threat groups including CL-STA-0046, Volt Typhoon, UAT-8337, and APT41.

Shadowserver, an internet threat watchdog, now tracks more than 5,400 PAN-OS VM-series firewalls exposed on the internet, with the highest concentrations in Asia (2,466) and North America (1,998).

Palo Alto Networks told BleepingComputer that the flaw does not affect Cloud NGFW or Panorama appliances. Patches are still in development, with the first batch expected to roll out on Wednesday, May 13. Until updates are available, the company “strongly” advises customers to restrict access to the User-ID Authentication Portal to trusted zones only, or disable the portal entirely if that is not feasible.

Administrators can check whether their firewalls use the vulnerable service by navigating to Device > User Identification > Authentication Portal Settings and verifying that the “Enable Authentication Portal” option is active.

On Wednesday, the U. S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable firewalls by Saturday, May 9.

These attacks are part of a broader trend where threat groups increasingly target edge network devices such as firewalls, hypervisors, routers, and VPN software. These devices often lack the logging and endpoint security tools that protect traditional systems. In February, CISA issued Binding Operational Directive 26-02, requiring U. S. government agencies to remove network edge devices that no longer receive security updates from manufacturers.