Palo Alto Networks has acknowledged that a bug in its PAN-OS software was exploited in the wild by a state-sponsored actor for the past month and reportedly plans to release the first series of patches May 13.The bug — CVE-2026-0300 — was described as a buffer overflow vulnerability in Palo Alto’s User-ID Authentication Portal in the PAN-OS software that’s letting attackers execute arbitrary code with root privileges on its PA-Series and VM-Series firewalls.Palo Alto Unit 42 researchers said in a May 6 blog post they were aware of only limited exploitation of CVE-2026-0300. The researchers said Unit 42 was now tracking CL-STA-1132, a cluster of likely state-sponsored threat activity exploiting the PAN-OS bug.“The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution in PAN-OS software,” wrote the researchers. “Upon successful exploitation, the attacker was able to inject shellcode into an nginx worker process.”On May 6, the Cybersecurity and Infrastructure Security Agency (CISA) added the PAN-OS bug to its Known Exploited Vulnerabilities (KEV) catalog. Shadowserver also posted that there were more than 5,400 VM-series firewalls exposed on the internet, the vast majority in Asia and North America.Collin Hogue-Spears, senior director of solution management at Black Duck, said teams need to treat every internet-exposed PA-Series and VM-Series firewall as a compromise candidate until forensics prove otherwise. Hogue-Spears pointed out that CL-STA-1132 had weeks of root access before disclosure.Hogue-Spears said CL-STA-1132 probed exposed PAN-OS firewalls April 9 through mid-April. Once the attackers had root through the User-ID Authentication Portal, they injected shellcode into an nginx worker process and deleted the crash logs, core dumps, and ptrace evidence that would have flagged the intrusion. Then they deployed EarthWorm and ReverseSocks5 tunnels for outbound C2, enumerated Active Directory with firewall-linked service accounts, and triggered SAML floods to force high-availability failover so they could repeat the whole chain on the secondary firewall.“Palo Alto's advisory dropped May 4,” said Hogue-Spears. “From first probing to public disclosure, the campaign ran nearly a month. Five thousand exposed firewalls did not mean 5,000 targets. CL-STA-1132 picked, and the exposed population created the cover.”Yagub Rahimov, chief executive officer at Polygraf AI, said that we've seen state-sponsored actors work through many edge device vendor since 2024 more than once — Ivanti, Fortinet, Check Point, Cisco, and Palo Alto — while exploit time went down from weeks to days. “CVE-2026-0300 has the same pattern," said Rahimov. "Unauthenticated root-level RCE on a device sitting at the network perimeter, and the attackers came back a week after failing the first time and tried again. This is a clear a targeted operation.”
Rahimov said the Ivanti zero-days from early 2024 come to mind. In that case, thousands of devices were compromised before patches were available and log review was unreliable because attackers had manipulated with logging infrastructure.“Same situation now,” said Rahimov. “The first thing CL-STA-1132 did after getting in was clean the logs (crash entries, nginx records, core dump files). The suggested response right now is to restrict or disable the Authentication Portal, hunt for EarthWorm signatures and outbound SOCKS proxy connections on your network traffic, and segment your network so a compromised perimeter device can't move freely behind it.”Andi Ursry, threat intelligence analyst at Blackpoint Cyber, said we’re looking at a serious threat because it targets internet-facing network edge devices, which are the critical gatekeepers between internal networks and the internet. Ursry said these devices manage and filter traffic, enforce security policies, and often deliver remote access capabilities, making them high-value targets for threat actors.“If attackers gain access to a firewall, they may be able to move deeper into the environment, steal credentials, or maintain persistence,” said Ursry. “The fact that exploitation may have started weeks before public reporting also raises concern around undetected compromise.”
Rahimov said the Ivanti zero-days from early 2024 come to mind. In that case, thousands of devices were compromised before patches were available and log review was unreliable because attackers had manipulated with logging infrastructure.“Same situation now,” said Rahimov. “The first thing CL-STA-1132 did after getting in was clean the logs (crash entries, nginx records, core dump files). The suggested response right now is to restrict or disable the Authentication Portal, hunt for EarthWorm signatures and outbound SOCKS proxy connections on your network traffic, and segment your network so a compromised perimeter device can't move freely behind it.”Andi Ursry, threat intelligence analyst at Blackpoint Cyber, said we’re looking at a serious threat because it targets internet-facing network edge devices, which are the critical gatekeepers between internal networks and the internet. Ursry said these devices manage and filter traffic, enforce security policies, and often deliver remote access capabilities, making them high-value targets for threat actors.“If attackers gain access to a firewall, they may be able to move deeper into the environment, steal credentials, or maintain persistence,” said Ursry. “The fact that exploitation may have started weeks before public reporting also raises concern around undetected compromise.”
