Palo Alto Networks has confirmed limited active exploitation of the critical vulnerability CVE-2026-0300 in its PAN-OS software. This buffer overflow vulnerability in the User-ID Authentication Portal service allows an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted network packets. According to researchers, the first exploitation attempts were observed on April 9, 2026, and patches are not expected to be released before May 13, 2026. All organizations using affected devices must immediately restrict access to the User-ID Authentication Portal or disable it entirely.
Technical details of the vulnerability
The vulnerability CVE-2026-0300 has been assigned CVSS scores of 9.3/8.7 (the discrepancy in scores is likely related to differences between the base and temporal CVSS metrics). Regardless of the exact value, both scores classify the vulnerability as critical.
Key characteristics:
- Vulnerability type: buffer overflow
- Affected component: User-ID Authentication Portal service in PAN-OS
- Attack vector: network, no authentication required
- Impact of exploitation: arbitrary code execution with root privileges
- Exploitation status: confirmed active exploitation in real-world attacks
- Patch status: fixes expected starting May 13, 2026
Reportedly, upon successful exploitation an attacker can inject shellcode into the nginx worker process on the compromised device. This gives the attacker full control over the firewall — a device that by definition occupies a privileged position at the network perimeter.
Attack timeline and post-exploitation actions
According to the Unit 42 division of Palo Alto Networks, the incident timeline is as follows:
- April 9, 2026 — the first unsuccessful attempts to exploit the vulnerability on a PAN-OS device were recorded
- Approximately a week later — the attackers achieved successful remote code execution and injected shellcode into the nginx process
- April 29, 2026 — additional EarthWorm and ReverseSocks5 tools were deployed on a second compromised device
Immediately after gaining initial access, the attackers took deliberate steps to cover their tracks: they cleared kernel crash dump messages, deleted nginx crash records and core dump files. This behavior indicates a high level of operational discipline and awareness of PAN-OS logging mechanisms.
Post-exploitation activity included enumeration of Active Directory objects — a classic step for reconnaissance of internal infrastructure and preparation for lateral movement. Deployment of the EarthWorm and ReverseSocks5 tunneling tools on the second device indicates an intention to maintain persistence in the network and establish a covert communication channel with their command infrastructure.
Threat context
Palo Alto Networks is tracking this activity under the identifier CL-STA-1132, describing the cluster as presumably linked to a state-sponsored actor of unknown origin. It should be emphasized that this attribution is based on a single source and has not been confirmed by independent research, so it should be treated with caution.
Nevertheless, the tactical tradecraft of the attack deserves attention. As Unit 42 researchers note, the attackers relied on open-source tools instead of proprietary malware. This approach minimizes signature-based detection and allows them to blend into legitimate network traffic. In addition, the attackers used intermittent interactive sessions over the course of several weeks, deliberately staying below the behavioral thresholds of most automated alerting systems.
This incident fits into a persistent trend observed over the past five years: according to Unit 42, state-sponsored groups engaged in cyber espionage are increasingly targeting edge network devices — firewalls, routers, IoT devices, hypervisors and VPN solutions. Such devices provide privileged access while often lacking the comprehensive monitoring and security agents typical for standard endpoints.
Impact assessment
The vulnerability poses a critical threat to any organization where the User-ID Authentication Portal service is accessible from untrusted network segments. Successful compromise of a firewall with root privileges effectively gives an attacker control over a key point in the network infrastructure, which can lead to:
- Interception and modification of network traffic
- Bypassing all security policies enforced on the device
- Lateral movement into internal network segments
- Compromise of Active Directory credentials
- Establishment of long-term covert presence in the infrastructure
The highest risk is faced by organizations with publicly accessible User-ID Authentication Portals, as well as those that are unable to promptly restrict network access to this service.
Practical recommendations
Until official fixes are released (expected starting May 13, 2026), the following measures must be taken:
- Immediately restrict access to the User-ID Authentication Portal service, allowing connections only from trusted network zones
- Completely disable the service if it is not used in the current configuration
- Review logs for anomalous nginx process crashes, unexplained clearing of core dumps and suspicious connections to the authentication portal starting from April 9, 2026
- Audit Active Directory for unauthorized enumeration requests, especially if they originate from network devices
- Check for the presence of EarthWorm and ReverseSocks5 tools in the network infrastructure — their presence may indicate compromise
- Strengthen monitoring of outbound connections from edge devices, paying attention to unusual SOCKS proxies and tunnels
Given the confirmed active exploitation and the absence of a patch, the window of exposure remains open at least until May 13, 2026. Organizations using affected versions of PAN-OS should treat restricting access to the User-ID Authentication Portal as a priority action requiring immediate execution, and once updates are released, apply the patch as quickly as possible and conduct a retrospective analysis for potential compromise in the period between April 9 and the date the fix is installed.
