Skip to content
Tech News
← Back to articles

Palo Alto Networks firewall zero-day exploited for nearly a month

2026-05-07 | original
read original get Palo Alto Networks Firewall Security Kit → more articles
Why This Matters

The exploitation of the Palo Alto Networks PAN-OS zero-day vulnerability highlights the ongoing threat posed by state-sponsored hackers targeting critical network infrastructure. This incident underscores the importance for organizations to prioritize timely patching and robust security measures to prevent unauthorized access and potential data breaches.

Key Takeaways

Palo Alto Networks warned customers that suspected state-sponsored hackers have been exploiting a critical-severity PAN-OS firewall zero-day vulnerability for nearly a month.

Tracked as CVE-2026-0300, this remote code execution security flaw was found in the PAN-OS User-ID Authentication Portal (also known as the Captive Portal) and stems from a buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls.

"We are aware of only limited exploitation of CVE-2026-0300 at this time. Unit 42 is tracking CL-STA-1132, a cluster of likely state-sponsored threat activity exploiting CVE-2026-0300. The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) in PAN-OS software," the company said.

"Starting April 9, 2026, there were unsuccessful exploitation attempts against a PAN-OS device. A week later, the attackers successfully achieved RCE against the device and injected shellcode. Following the compromise, the attackers immediately conducted log cleanup to mitigate detection by clearing crash kernel messages, deleting nginx crash entries and nginx crash records, as well as removing crash core dump files."

After compromising the victims' firewalls, the attackers deployed the open-source Earthworm and ReverseSocks5network tunneling tools, which can be used to create SOCKS v5 servers and proxy tunnels on compromised devices, respectively.

The EarthWorm tool allows threat actors to set up covert communication across restricted networks, while ReverseSocks5 enables them to bypass NAT and firewalls by creating an outbound connection from a target machine to a controller. EarthWorm has previously been used in attacks linked to the CL-STA-0046, Volt Typhoon, UAT-8337, and APT41 Chinese-speaking threat groups.

Internet threat watchdog Shadowserver now tracks over 5,400 PAN-OS VM-series firewalls exposed on the Internet, most of them in Asia (2,466) and North America (1,998).

Palo Alto Networks VM-series firewalls exposed online (Shadowserver)

​Palo Alto Networks told BleepingComputer yesterday that the flaw doesn't impact Cloud NGFW or Panorama appliances and that it's still working on releasing patches, with the first ones expected to roll out next Wednesday, May 13.

Until security updates are available, the company "strongly" advised customers to secure access to the PAN-OS User-ID Authentication Portal by restricting access to trusted zones only, or by disabling the portal if that's not possible, which mitigates the risk of this issue.

... continue reading

Explore topics: palo alto networks pan-os cve-2026-0300 pa-series earthworm
Related:
Palo Alto Networks warns of firewall RCE zero-day exploited in attacks
Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise Risk
New Wall Street research touts our long-held view on AI and cybersecurity stocks
CVSS scored these two Palo Alto CVEs as manageable. Chained, they gave attackers root access to 13,000 devices.
New BlackFile extortion group linked to surge of vishing attacks

© 2026 GoKawiil

About | Editorial Policy | Contact