Palo Alto Networks firewall zero-day exploited for nearly a month

Palo Alto Networks warned customers that suspected state-sponsored hackers have been exploiting a critical-severity PAN-OS firewall zero-day vulnerability for nearly a month.

Tracked as CVE-2026-0300, this remote code execution security flaw was found in the PAN-OS User-ID Authentication Portal (also known as the Captive Portal) and stems from a buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls.

"We are aware of only limited exploitation of CVE-2026-0300 at this time. Unit 42 is tracking CL-STA-1132, a cluster of likely state-sponsored threat activity exploiting CVE-2026-0300. The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) in PAN-OS software," the company said.

"Starting April 9, 2026, there were unsuccessful exploitation attempts against a PAN-OS device. A week later, the attackers successfully achieved RCE against the device and injected shellcode. Following the compromise, the attackers immediately conducted log cleanup to mitigate detection by clearing crash kernel messages, deleting nginx crash entries and nginx crash records, as well as removing crash core dump files."

After compromising the victims' firewalls, the attackers deployed the open-source Earthworm and ReverseSocks5network tunneling tools, which can be used to create SOCKS v5 servers and proxy tunnels on compromised devices, respectively.

The EarthWorm tool allows threat actors to set up covert communication across restricted networks, while ReverseSocks5 enables them to bypass NAT and firewalls by creating an outbound connection from a target machine to a controller. EarthWorm has previously been used in attacks linked to the CL-STA-0046, Volt Typhoon, UAT-8337, and APT41 Chinese-speaking threat groups.

Internet threat watchdog Shadowserver now tracks over 5,400 PAN-OS VM-series firewalls exposed on the Internet, most of them in Asia (2,466) and North America (1,998).

​Palo Alto Networks told BleepingComputer yesterday that the flaw doesn't impact Cloud NGFW or Panorama appliances and that it's still working on releasing patches, with the first ones expected to roll out next Wednesday, May 13.

Until security updates are available, the company "strongly" advised customers to secure access to the PAN-OS User-ID Authentication Portal by restricting access to trusted zones only, or by disabling the portal if that's not possible, which mitigates the risk of this issue.

Admins can quickly check whether their firewalls are configured to use the vulnerable service from the User-ID Authentication Portal Settings page, found under Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal.

​​On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the CVE-2026-0300 zero-day to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable firewalls by Saturday midnight, May 9.

These CVE-2026-0300 zero-day attacks are part of a broader trend in which threat groups are targeting edge network devices (e.g., firewalls, hypervisors, routers, and VPN software), which often lack the logging and security software that protect endpoints.

In February, CISA also issued Binding Operational Directive 26-02, which requires U.S. government agencies to remove network edge devices that no longer receive security updates from manufacturers.