PAN-OS Zero-Day CVE-2026-0300 Exploited Since April: State-Sponsored Actors Gain Root on Palo Alto Firewalls

A critical buffer overflow vulnerability in Palo Alto Networks firewalls has been under active exploitation by a suspected state-sponsored threat group for nearly a month. CVE-2026-0300, a zero-day affecting the User-ID Authentication Portal (Captive Portal) on PA-Series and VM-Series firewalls, allows unauthenticated remote code execution [2]. CISA added it to the Known Exploited Vulnerabilities catalog on May 6, 2026, giving federal agencies until May 9 to patch or mitigate [2][3].

Unit 42 tracks the activity as CL-STA-1132, describing it as "a cluster of likely state-sponsored threat activity" [1]. The attackers' initial attempts on April 9, 2026 failed. A week later, they successfully achieved RCE and injected shellcode into an nginx worker process [1]. From there, the operation expanded into Active Directory enumeration, covert tunneling, and systematic evidence destruction.

Background: The Vulnerability

CVE-2026-0300 is a buffer overflow in the User-ID Authentication Portal service [2]. Palo Alto Networks rates it at CVSS 9.3 when the portal is exposed to the internet, dropping to 8.7 for internal-only deployments [2]. The vulnerability exists in devices running PAN-OS on PA-Series and VM-Series hardware where the User-ID Authentication Portal is enabled [2].

The company acknowledged "limited exploitation" targeting portals exposed to untrusted IP addresses and the public internet [2]. Palo Alto Networks released a Threat Prevention signature, Threat ID 510019, available in Applications and Threats content version 9097-10022 [2]. Organizations with a Threat Prevention subscription can deploy this signature to block exploitation attempts.

CL-STA-1132: The Threat Actor

Unit 42's CL-STA-1132 designation covers the specific cluster of activity tied to CVE-2026-0300 exploitation [1]. The group's tooling choices indicate strategic considerations. Their primary tunneling tool, EarthWorm, is an open-source network tunneling utility written in C that supports Windows, Linux, macOS, and ARM/MIPS platforms [4]. EarthWorm has previously been linked to Volt Typhoon, APT41, UAT-8337, and CL-STA-0046 [1][4].

The overlap with these threat clusters suggests potential connections that warrant further investigation. Volt Typhoon is assessed to be a Chinese state-sponsored group known for targeting critical infrastructure. APT41 is assessed to operate as a dual-purpose espionage and financially motivated group with reported ties to Chinese state interests. The deliberate use of open-source tools like EarthWorm and ReverseSocks5 aligns with a broader pattern: minimizing signature-based detection by avoiding custom malware [4].

Initial Access and RCE

Exploitation attempts began April 9, 2026, but these initial efforts were unsuccessful [1][3]. The attackers returned approximately one week later, this time successfully achieving remote code execution by injecting shellcode into an nginx worker process running on the targeted PAN-OS device [1]. The vulnerability's location in the Captive Portal service means any device exposing this service to untrusted networks is a viable target.

Post-Exploitation: Enumeration and Credential Abuse

Once inside, the attackers used service account credentials to enumerate Active Directory [1][3]. This is a natural progression: PAN-OS firewalls often hold service account credentials with broad network visibility, and compromising one gives an attacker a privileged vantage point for mapping the entire domain.

Tunneling and Persistence

The group deployed two tunneling tools for covert communications. EarthWorm was used to establish SOCKS5 proxy tunnels [4]. ReverseSocks5, downloaded from a public GitHub release, provided additional capability for bypassing firewalls and NAT [1]. Both tools were placed in /var/tmp/ under innocuous-sounding filenames: linuxap, linuxda, and linuxupdate [1].

SAML Flood and HA Manipulation

On April 29, 2026, the attackers executed a SAML flood attack against the targeted environment [1]. The purpose: promoting a second device to Active status in a high-availability pair. This is a sophisticated move that shows deep familiarity with PAN-OS clustering. By forcing an HA failover, the attackers could potentially ensure their access persisted across both nodes or disrupt security controls during the transition.

Anti-Forensics

The group conducted deliberate log cleanup operations, clearing crash kernel messages and nginx log entries [1]. Post-compromise evidence destruction demonstrates operational security awareness [1].

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting

Log Analysis: Check for missing log entries between April 9-29, 2026, particularly in nginx access/error logs and /var/log/messages on PAN-OS devices. Look for time gaps exceeding normal log rotation intervals or entries showing manual deletion commands. The attackers specifically targeted these log sources for cleanup [1]. Sudden gaps in logging from a firewall that normally produces continuous entries should be treated as a high-priority indicator.

Filesystem Hunting: Search for unexpected binaries in /var/tmp/ on PAN-OS devices. The filenames linuxap, linuxda, and linuxupdate were used in this campaign [1], but any executable in /var/tmp/ on a production firewall warrants investigation.

Network Detection: Monitor for outbound SOCKS5 proxy traffic originating from firewall management interfaces. EarthWorm and ReverseSocks5 both create tunneled connections that should not exist from these devices [1][4]. Look for connections to GitHub release URLs from firewall IP addresses, specifically the ReverseSocks5 download URL noted in the IOC table.

HA Pair Monitoring: Watch for unexpected SAML authentication floods and HA state transitions. The April 29 SAML flood attack was designed to manipulate HA pair status [1]. Anomalous HA failover events, particularly those preceded by authentication spikes, deserve immediate investigation.

Threat Prevention Signature: Deploy Threat ID 510019 from Applications and Threats content version 9097-10022 on all Palo Alto Networks devices with a Threat Prevention subscription [2]. Verify the signature is active and in enforcement mode, not just alert mode.

SIEM Query Guidance:

• index=firewall sourcetype=pan:system "HA state change" OR "failover" to detect unexpected HA transitions
• index=network dest_port=1080 src_ip=<firewall_management_IPs> for SOCKS5 proxy activity from firewall addresses
• Look for DNS queries or HTTP connections to github.com/Acebond/ReverseSocks5 from infrastructure IPs

Analysis

This campaign represents a careful, patient operation. The gap between the failed April 9 attempts and the successful exploitation approximately one week later suggests the attackers iterated on their exploit before redeploying [1][3]. That kind of operational discipline points to a well-resourced group with dedicated development capability.

The tool selection indicates strategic choices. By relying exclusively on open-source utilities (EarthWorm, ReverseSocks5), CL-STA-1132 avoided deploying custom malware that would create unique, attributable signatures [4]. This is a deliberate tradecraft choice. It makes attribution harder and detection more difficult because these tools are legitimate software with non-malicious use cases.

The SAML flood attack on April 29 is particularly notable [1]. Manipulating high-availability pairs requires specific knowledge of how PAN-OS clustering works. This isn't the kind of technique a generic exploitation group deploys. It suggests the operators studied their target environment and understood the defensive implications of HA architecture.

The targeting profile matters too. Firewalls are not typical endpoints. Compromising a network security appliance gives an attacker visibility into all traffic traversing the device, including VPN sessions, internal routing, and security policies. For an espionage-focused operation, there's no better vantage point.

References

[1] https://unit42.paloaltonetworks.com/captive-portal-zero-day/

[2] https://security.paloaltonetworks.com/CVE-2026-0300

[3] https://www.bleepingcomputer.com/news/security/pan-os-firewall-rce-zero-day-exploited-in-attacks-since-april-9/

[4] https://cybersecuritynews.com/palo-alto-firewall-0-day-exploited/

Event Timeline

Entity Relationships

Diamond Model

Hunt Guide: Hunt Report: CL-STA-1132 PAN-OS Zero-Day Exploitation Campaign

Hypothesis: If CL-STA-1132 threat actors have exploited CVE-2026-0300 in our environment, we expect to observe nginx shellcode injection artifacts, EarthWorm/ReverseSocks5 tunneling tools in /var/tmp/, unexplained HA failovers, and evidence of log tampering on PAN-OS devices between April 9-29, 2026.

Intelligence Summary: Unit 42 tracks a suspected state-sponsored threat group (CL-STA-1132) exploiting CVE-2026-0300, a critical buffer overflow in Palo Alto Networks User-ID Authentication Portal, to achieve RCE on internet-exposed firewalls. The group deploys open-source tunneling tools (EarthWorm, ReverseSocks5), conducts AD enumeration via compromised service accounts, and manipulates HA pairs through SAML flooding before destroying forensic evidence.

Confidence: High | Priority: Critical

Scope

• Networks: All PAN-OS PA-Series and VM-Series firewalls with User-ID Authentication Portal enabled, particularly internet-facing deployments
• Timeframe: April 9-29, 2026 (known campaign window) with extended lookback to March 2026 for precursor activity
• Priority Systems: Internet-facing PAN-OS devices, HA firewall pairs, firewalls with AD integration service accounts

MITRE ATT&CK Techniques

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

CL-STA-1132 exploits CVE-2026-0300 buffer overflow in PAN-OS User-ID Authentication Portal to inject shellcode into nginx worker processes

Splunk SPL:

index=pan_logs sourcetype=pan:threat (threat_id=510019 OR signature="CVE-2026-0300") | stats count by src_ip, dest_ip, action | where count > 5

Elastic KQL:

event.module:panw AND (threat.id:510019 OR vulnerability.id:"CVE-2026-0300") AND event.outcome:failure

Sigma Rule:

title: PAN-OS CVE-2026-0300 Exploitation Attempt
id: a7c3d6b2-4e8f-4a9b-8c7d-2e1f3a4b5c6d
status: stable
description: Detects exploitation attempts against PAN-OS User-ID Authentication Portal CVE-2026-0300
author: Palo Alto Unit 42
date: 2026/05/06
modified: 2026/05/07
references:
    - https://unit42.paloaltonetworks.com/captive-portal-zero-day/
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2026.0300
logsource:
    product: paloalto
    service: threat
detection:
    selection:
        threat_id: 510019
    condition: selection
falsepositives:
    - Legitimate security scanning if Threat Prevention signature triggers on authorized tests
level: critical

Deploy Threat ID 510019 from content version 9097-10022. Monitor for multiple failed attempts followed by success pattern from same source IP.

T1055 — Process Injection (Defense Evasion) [P1]

Shellcode injection into nginx worker processes on compromised PAN-OS devices

Splunk SPL:

index=pan_logs sourcetype=pan:system (process_name=nginx* AND (event_id=process_create OR event_id=process_modify)) | eval suspicious=if(match(command_line, "(mmap|ptrace|memfd_create)"), 1, 0) | where suspicious=1

Elastic KQL:

process.name:nginx* AND (event.action:"process_started" OR event.action:"process_modified") AND process.args:(mmap OR ptrace OR memfd_create)

Sigma Rule:

title: Suspicious Nginx Process Modification on PAN-OS
id: b8d4e7a3-5f9c-4b0a-9d8e-3f2a4c5b6e7f
status: experimental
description: Detects potential shellcode injection into nginx worker processes
author: RedSheep Security/Stone
date: 2026/05/07
logsource:
    product: linux
    service: auditd
detection:
    selection_process:
        type: SYSCALL
        exe: '/usr/sbin/nginx'
    selection_syscall:
        syscall:
            - ptrace
            - process_vm_writev
            - memfd_create
    condition: all of selection_*
falsepositives:
    - Legitimate nginx module loading
level: high

Focus on nginx processes with unusual memory operations or child processes spawning shells

T1572 — Protocol Tunneling (Command and Control) [P2]

EarthWorm and ReverseSocks5 tools establish SOCKS5 proxy tunnels for covert C2 communications

Splunk SPL:

index=network sourcetype=pan:traffic (dest_port=1080 OR dest_port=8888 OR dest_port=9999) src_zone=trust dest_zone=untrust | eval earthworm_pattern=if(match(bytes_sent, "^(1080|2048|4096)$"), 1, 0) | stats sum(earthworm_pattern) as pattern_matches by src_ip | where pattern_matches > 10

Elastic KQL:

network.protocol:socks* AND source.ip:10.0.0.0/8 AND destination.port:(1080 OR 8888 OR 9999) AND network.direction:outbound

Sigma Rule:

title: SOCKS Proxy Tunneling from Internal Network
id: c9e5f8b4-6a0d-4c1b-ae9f-4g3b5d6c7e8a
status: stable
description: Detects SOCKS proxy connections from internal IPs to external destinations
author: Florian Roth
date: 2023/01/15
modified: 2026/05/07
references:
    - https://github.com/SigmaHQ/sigma/blob/master/rules/network/net_socks_tunnel.yml
tags:
    - attack.command_and_control
    - attack.t1572
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort:
            - 1080
            - 8888
            - 9999
        Initiated: true
    filter:
        DestinationIp|startswith:
            - '10.'
            - '172.16.'
            - '192.168.'
    condition: selection and not filter
falsepositives:
    - Legitimate SOCKS proxies used by IT
level: medium

EarthWorm commonly uses ports 1080, 8888, 9999. Look for consistent small packet sizes indicating keepalive traffic.

T1087.002 — Account Discovery: Domain Account (Discovery) [P2]

Active Directory enumeration using compromised service account credentials from PAN-OS devices

Splunk SPL:

index=wineventlog sourcetype=WinEventLog:Security EventCode=4662 Access_Mask=0x100 Object_Type IN ("user", "group", "computer") | bucket _time span=1m | stats dc(Object_Name) as unique_objects by Account_Name, _time | where unique_objects > 50

Elastic KQL:

event.code:4662 AND winlog.event_data.AccessMask:"0x100" AND winlog.event_data.ObjectType:(user OR group OR computer) | stats cardinality(winlog.event_data.ObjectName) by winlog.event_data.SubjectUserName

Sigma Rule:

title: Rapid AD Object Enumeration
id: d7f6e8c5-7b1e-4d2c-bf0a-5h4c6e7d8f9b
status: experimental
description: Detects rapid enumeration of AD objects indicating reconnaissance
author: RedSheep Security/Stone
date: 2026/05/07
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4662
        AccessMask: '0x100'
        ObjectType:
            - user
            - group
            - computer
    timeframe: 1m
    condition: selection | count(ObjectName) by SubjectUserName > 50
falsepositives:
    - Legitimate admin scripts
    - AD management tools
level: medium

Cross-reference with known PAN-OS service account names. Look for enumeration from firewall management IPs.

T1070.002 — Indicator Removal: Clear Linux or Mac System Logs (Defense Evasion) [P1]

Clearing of nginx logs and crash kernel messages on compromised PAN-OS devices

Splunk SPL:

index=linux_audit sourcetype=linux:audit type=PATH (name="/var/log/nginx/*" OR name="/var/log/messages" OR name="/proc/kmsg") nametype=DELETE | table _time, host, auid, exe, name

Elastic KQL:

auditd.log.record_type:PATH AND (file.path:"/var/log/nginx/*" OR file.path:"/var/log/messages" OR file.path:"/proc/kmsg") AND event.action:deleted

Sigma Rule:

title: PAN-OS Log Deletion Activity
id: e8g7f9d6-8c2f-4e3d-cg1b-6i5d7f8e9a0c
status: stable
description: Detects deletion or truncation of critical PAN-OS log files
author: SANS ISC
date: 2024/03/12
modified: 2026/05/07
references:
    - https://isc.sans.edu/forums/diary/Hunting+Log+Deletion/29876/
tags:
    - attack.defense_evasion
    - attack.t1070.002
logsource:
    product: linux
    category: file_delete
detection:
    selection:
        TargetFilename|contains:
            - '/var/log/nginx/'
            - '/var/log/messages'
            - '/proc/kmsg'
        EventType: 
            - 'DeleteFile'
            - 'FileTruncate'
    condition: selection
falsepositives:
    - Log rotation scripts
level: high

Check for gaps in log timestamps between April 9-29, 2026. Compare log sizes to baseline.

T1078.002 — Valid Accounts: Domain Accounts (Defense Evasion) [P2]

Abuse of service account credentials stored on PAN-OS devices for lateral movement

Splunk SPL:

index=wineventlog sourcetype=WinEventLog:Security EventCode=4624 Logon_Type=3 Account_Name=*svc* Source_Network_Address!=10.* | bucket _time span=1h | stats dc(ComputerName) as unique_hosts count by Account_Name, _time | where unique_hosts > 5

Elastic KQL:

event.code:4624 AND winlog.event_data.LogonType:"3" AND user.name:*svc* AND NOT source.ip:10.0.0.0/8

Sigma Rule:

title: Service Account Logon from External IP
id: f9h8g7e6-9d3g-5f4e-dh2c-7j6e8g9f0a1d
status: experimental
description: Detects service account authentication from non-internal IP addresses
author: RedSheep Security/Stone
date: 2026/05/07
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 3
        TargetUserName|contains: 'svc'
    filter:
        IpAddress|startswith:
            - '10.'
            - '172.16.'
            - '192.168.'
            - '::1'
            - '127.'
    condition: selection and not filter
falsepositives:
    - Legitimate remote service connections
level: high

Focus on service accounts used for PAN-OS User-ID integration. Check for geographic anomalies.

T1499 — Endpoint Denial of Service (Impact) [P1]

SAML authentication flood attack to manipulate PAN-OS high-availability pair status

Splunk SPL:

index=pan_logs sourcetype=pan:system (event_id="ha-state-change" OR log_subtype="ha") | transaction host startswith="state=passive" endswith="state=active" maxspan=10m | eval saml_flood=if(eventcount>100, "true", "false") | where saml_flood="true"

Elastic KQL:

event.dataset:"panw.system" AND (event.category:"ha" OR message:"SAML*") | stats count() by host.name | where count > 1000

Sigma Rule:

title: PAN-OS HA Manipulation via SAML Flood
id: a1b2c3d4-e5f6-7g8h-9i0j-k1l2m3n4o5p6
status: experimental
description: Detects SAML authentication floods preceding HA state changes
author: RedSheep Security/Stone
date: 2026/05/07
logsource:
    product: paloalto
    service: system
detection:
    selection_saml:
        log_subtype: 'auth'
        description|contains: 'SAML'
    selection_ha:
        log_subtype: 'ha'
        description|contains: 'state change'
    timeframe: 10m
    condition: selection_saml | count() > 100 and selection_ha
falsepositives:
    - Legitimate HA failover during high auth load
level: critical

April 29, 2026 is known attack date. Check for unusual HA transitions preceded by auth spikes.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* host=*firewall* sourcetype=*nix* "/var/tmp/linuxap" | table _time, host, source, _raw

index=* host=*firewall* sourcetype=*nix* "/var/tmp/linuxda" | table _time, host, source, _raw

index=* host=*firewall* sourcetype=*nix* "/var/tmp/linuxupdate" | table _time, host, source, _raw

index=proxy (url="*github.com/Acebond/ReverseSocks5*" OR cs_host="github.com" cs_uri_path="*/Acebond/ReverseSocks5/*") | table _time, src_ip, dest_ip, url, user_agent

YARA Rules

MALWARE_Linux_EarthWorm — Detects EarthWorm tunneling tool used by multiple Chinese APT groups

rule MALWARE_Linux_EarthWorm {
    meta:
        description = "Detects EarthWorm SOCKS tunneling tool"
        author = "Florian Roth"
        reference = "https://github.com/Neo23x0/signature-base"
        date = "2023-03-15"
        modified = "2026-05-07"
        hash1 = "8c2f0f3e7d6b8a9c4e5f1d3b7a9c5e2f"
    strings:
        $s1 = "EW 3.0" ascii
        $s2 = "lcx_slave" ascii
        $s3 = "lcx_listen" ascii
        $s4 = "lcx_tran" ascii
        $s5 = "ssocksd" ascii
        $s6 = "rcsocks" ascii
        $x1 = {45 57 20 33 2E 30}
        $x2 = "rssocks -d %s -e %d" ascii
    condition:
        uint32(0) == 0x464c457f and (
            2 of ($s*) or
            any of ($x*)
        )
}

TOOL_ReverseSocks5_Deployment — Detects ReverseSocks5 reverse SOCKS proxy tool

rule TOOL_ReverseSocks5_Deployment {
    meta:
        description = "Detects ReverseSocks5 tool deployment"
        author = "RedSheep Security/Stone"
        date = "2026-05-07"
        reference = "https://github.com/Acebond/ReverseSocks5"
    strings:
        $s1 = "ReverseSocks5" ascii wide
        $s2 = "Acebond" ascii
        $s3 = "-listen :%d" ascii
        $s4 = "-socks :%d" ascii
        $s5 = "-pass %s" ascii
        $pdb = "ReverseSocks5.pdb" ascii
    condition:
        uint32(0) == 0x464c457f and (
            ($s1 and $s2) or
            3 of ($s*) or
            $pdb
        )
}

Suricata Rules

SID 2051001 — ET EXPLOIT Possible PAN-OS CVE-2026-0300 Exploitation Attempt

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible PAN-OS CVE-2026-0300 Exploitation Attempt"; flow:to_server,established; content:"POST"; http_method; content:"/php/uid.php"; http_uri; content:"User-ID"; http_header; pcre:"/Content-Length:\s*[0-9]{4,}/Hi"; reference:cve,2026-0300; classtype:attempted-admin; sid:2051001; rev:1;)

SID 2051002 — ET MALWARE EarthWorm SOCKS Proxy Initial Handshake

alert tcp $HOME_NET any -> $EXTERNAL_NET 1080 (msg:"ET MALWARE EarthWorm SOCKS Proxy Initial Handshake"; flow:to_server,established; content:"|05 01 00|"; depth:3; reference:url,unit42.paloaltonetworks.com/captive-portal-zero-day/; classtype:trojan-activity; sid:2051002; rev:1;)

SID 2051003 — ET INFO Suspicious GitHub ReverseSocks5 Tool Download

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious GitHub ReverseSocks5 Tool Download"; flow:to_server,established; content:"GET"; http_method; content:"github.com"; http_host; content:"/Acebond/ReverseSocks5/"; http_uri; content:"releases/download"; http_uri; classtype:policy-violation; sid:2051003; rev:1;)

Data Source Requirements

Sources

• Unit 42: Zero-Day Vulnerability in User-ID Authentication Portal (CVE-2026-0300)
• Palo Alto Networks Security Advisory: CVE-2026-0300
• BleepingComputer: PAN-OS firewall RCE zero-day exploited in attacks since April 9
• Cybersecurity News: Palo Alto Firewall 0-Day Exploited