Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking

Palo Alto Networks has shared some information on the exploitation of the recently disclosed zero-day vulnerability affecting some of its firewalls. The cybersecurity firm has not directly attributed the attack to a specific threat actor or country, but the evidence seems to point to China.

In an advisory published on May 6, Palo Alto Networks informed customers about CVE-2026-0300, a vulnerability affecting the User-ID Authentication Portal of PA and VM series firewalls. 

The company said the flaw, which allows unauthenticated remote code execution with root privileges, had been exploited as a zero-day. 

Patches are expected to be released on May 13 and May 28, and in the meantime the company has shared mitigations and workarounds to prevent exploitation. 

Shortly after CVE-2026-0300 was disclosed, Palo Alto Networks published a blog post describing the vulnerability’s exploitation in the wild. 

According to the company, a “likely state-sponsored” threat group tracked as CL-STA-1132 was behind the attack. First exploitation attempts were observed on April 9, but were unsuccessful. The vulnerability was successfully leveraged one week later for remote code execution and Nginx worker process shellcode injection.

“Following the compromise, the attackers immediately conducted log cleanup to mitigate detection by clearing crash kernel messages, deleting nginx crash entries and nginx crash records, as well as removing crash core dump files,” Palo Alto explained.

“The attackers deployed a number of tools with root privileges four days later, before conducting Active Directory (AD) enumeration using the firewall’s service account credentials to target domain root and DomainDnsZones. Following enumeration, the attackers deleted ptrace injection evidence from the audit log and deleted the SetUserID (SUID) privilege escalation binary,” it added.

The attackers deployed the open source Earthworm and ReverseSocks5 tools. The former is a network tunneling tool that enables attackers to establish a covert communications channel, while the latter allows them to bypass firewalls and NAT. 

The cybersecurity firm has stopped short of attributing the attacks to a specific country, but the evidence it has presented points to China as the main suspect. 

Earthworm and ReverseSocks5 have predominantly been used by Chinese APT groups, including Volt Typhoon and APT41. Log destruction has also often been observed during attacks attributed to Chinese threat actors. 

Active Directory targeting is also a hallmark of Chinese groups, though other nation-state hackers and cybercriminals use this technique as well. 

“The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration,” Palo Alto noted. “This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems.”

Related: Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months

Related: Microsoft Patches Exploited SharePoint Zero-Day and 160 Other Vulnerabilities

Related: Adobe Patches Reader Zero-Day Exploited for Months