A critical unauthenticated PAN-OS User-ID Authentication Portal zero-day, CVE-2026-0300, was exploited for 26 days before public disclosure, giving likely state-backed attackers root-level firewall access.
A critical unauthenticated remote code execution vulnerability in Palo Alto Networks' PAN-OS firewall software was actively exploited for nearly a month before defenders were told it existed — granting a likely state-sponsored threat actor root-level control over enterprise network perimeters with no credentials required.
CVE-2026-0300, rated CVSS 4.0 9.3 Critical by Palo Alto Networks and CVSS 3.1 9.8 Critical by the National Vulnerability Database, carries Palo Alto's HIGHEST urgency designation. The flaw resides in the User-ID™ Authentication Portal service built into PAN-OS and allows any unauthenticated attacker on the internet to send specially crafted packets that overflow a stack or heap buffer in the portal's nginx web process, overwrite adjacent memory, and seize root privileges — without user interaction and without any prior foothold on the network. The U.S. Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog on May 6, 2026, and ordered all federal civilian agencies to remediate within three days.
That three-day window underlines how seriously the government is treating this flaw. But for many organizations, the more troubling number is twenty-six.
Twenty-Six Days in the Dark
Palo Alto Networks' Unit 42 threat intelligence team confirmed that a threat cluster it tracks as CL-STA-1132 began exploitation attempts on April 9, 2026 — more than three weeks before public disclosure arrived on May 5. During that window, defenders had no patch, no advisory, no detection signature, and no warning.
The attack's forensic trail, reconstructed by Unit 42, is methodical and deliberate:
Apr 9, 2026 CL-STA-1132 begins exploitation attempts against exposed portals
~Apr 16, 2026 Successful RCE achieved; shellcode injected into nginx worker process
Logs immediately wiped: kernel crash messages cleared, nginx crash
entries deleted, core dump files removed
~Apr 20, 2026 EarthWorm (SOCKS5 tunnel) and ReverseSocks5 deployed with root privileges
Active Directory enumeration begins using harvested firewall service credentials
Apr 29, 2026 Attacker triggers SAML flood to force failover to internet-exposed standby unit
Second firewall compromised using same technique
May 5, 2026 Palo Alto Networks public disclosure
May 6, 2026 CISA KEV listing; federal deadline: May 9, 2026
May 6, 2026 Public proof-of-concept exploit published
May 6, 2026 Threat Prevention Signature ID 510019 released
May 13, 2026 First hotfix patches begin shipping
May 28, 2026 ETA for remaining version-specific patches
The attacker's post-exploitation goals were not ransomware. Unit 42's analysis makes clear this is a credential-harvesting, Active Directory enumeration, and lateral movement operation — the signature of intelligence collection, not financial extortion. The firewall's privileged network position made it a skeleton key: once inside the device with root access, the attacker could harvest the service account credentials the firewall used to communicate with directory services, then enumerate internal AD objects from behind the perimeter. At the time of writing, Palo Alto describes the exploitation scope as "limited" — targeted state-actor hits rather than indiscriminate mass scanning. That framing will be tested as a public proof-of-concept is now freely available.
How the Flaw Works
The vulnerability class is CWE-787: Out-of-Bounds Write — a stack or heap buffer overflow in the User-ID™ Authentication Portal, a PAN-OS component that intercepts unauthenticated HTTP/HTTPS traffic and redirects users to a login page when the firewall cannot automatically map an IP address to a known identity. When the portal is active and reachable from an untrusted network, an attacker can send a malformed packet sequence that overflows the buffer, corrupts adjacent memory, and redirects execution flow — landing inside the nginx worker process with root privileges. No credentials. No user interaction. Fully automatable.
The CVSS vector tells the complete story:
| Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality / Integrity / Availability | All HIGH |
| Automatable | YES |
This is the worst possible combination for a network edge device. Firewalls carry what Unit 42 describes as "concentrated" value density — compromise one device and an attacker inherits trusted access to the entire segment it protects, along with credentials to every system the firewall touches.
Who Is Behind This
Unit 42 designates the responsible threat cluster as CL-STA-1132 and assesses it as "likely state-sponsored" — stopping short of formal country attribution. The cluster's tooling selection is a meaningful signal: both EarthWorm, the open-source SOCKS5 tunneling tool used throughout this campaign, and ReverseSocks5 have appeared in prior operations attributed to Volt Typhoon and APT41, as well as clusters CL-STA-0046 and UAT-8337.
Unit 42 noted the deliberate logic behind the open-source tool choice: the cluster's "reliance on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration." Standard EDR and signature-based detection products will not flag EarthWorm as malware — it is legitimate software, wielded here as a covert tunneling layer.
Some third-party researchers have characterized the campaign as bearing hallmarks of Chinese state hacking, but that framing reflects editorial inference rather than Palo Alto's own formal attribution. Security teams should treat this as a sophisticated, patient, state-caliber actor operating deliberately below detection thresholds — regardless of which flag flies above the operation.
The operational style is low-and-slow: intermittent interactive sessions, minimal dwell-time footprint, no persistent implants that would survive reboots, and careful log destruction after each session.
Are You Exposed?
An organization faces active risk from CVE-2026-0300 only if both of the following conditions are simultaneously true:
Condition 1: The User-ID™ Authentication Portal is enabled.
→ Check: Device > User Identification > Authentication Portal Settings > Enable Authentication Portal
Condition 2: An interface management profile with Response Pages enabled is attached to an L3 interface in a zone where untrusted or internet traffic can reach it.
→ Check: Network > Interface > [interface] > Advanced Tab > Management Interface Profile
If Response Pages is disabled on all internet-facing interfaces, the vulnerable service is not reachable from the public internet. Risk is substantially reduced — though patching remains mandatory.
Affected PAN-OS branches and versions are extensive:
| PAN-OS Branch | Vulnerable Range |
|---|---|
| 10.2 | < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6 |
| 11.1 | < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15 |
| 11.2 | < 11.2.4-h17, < 11.2.7-h13, < 11.2.10-h6, < 11.2.12 |
| 12.1 | < 12.1.4-h5, < 12.1.7 |
| Cloud NGFW | Not affected |
| Prisma Access | Not affected |
| Panorama | Not affected |
Several hotfixes — including 11.2.7-h13, 11.1.10-h25, and 10.2.16-h7 — are already available. Remaining version-specific patches are on a rolling schedule, with full coverage expected by May 28, 2026. Administrators should consult the live Palo Alto advisory for their specific branch rather than waiting for the full minor release cycle.
Shadowserver scanning data identified between 5,400 and 5,800+ PAN-OS VM-Series firewalls with internet-exposed portals as of May 6, 2026 — with significant concentrations across Asia and North America, and additional devices spread across other regions. That count covers VM-Series deployments only; physical PA-Series hardware appliance figures are not separately reported, meaning true exposure is likely meaningfully larger. Siemens RUGGEDCOM APE1808 devices running PAN-OS are also affected, per a separate Siemens PSIRT advisory.
What to Do Right Now
Security teams should operate on a triage hierarchy, not a wait-for-patch posture.
Immediate actions (before your patch is available):
- Disable Response Pages on all internet-facing L3 interfaces. This severs the attack vector at the network layer without requiring a maintenance window.
- Disable the Authentication Portal entirely if your organization does not require it:
Device > User Identification > Authentication Portal Settings > uncheck Enable Authentication Portal - Enable Threat Prevention Signature ID 510019 if you hold an Advanced Threat Prevention subscription and run content version 9097-10022 or later. Note: full decoder support requires PAN-OS 11.1 or higher.
If you suspect compromise — do not simply patch and reboot. A root-level attacker can persist in firmware, configuration state, or harvested credentials that survive a software update. Treat a suspected compromise as a full device reimaging event:
- Flash firmware from known-good media
- Conduct a full configuration audit
- Rotate credentials on every account that has touched the appliance — including the firewall's AD service account
- Hunt laterally: look for AD object modifications, unexpected authentication events, and credential reuse originating from the firewall's source IP
Threat hunting indicators (Unit 42):
Pull packet captures on portal interfaces going back to April 9, 2026.
C2 IP addresses (defanged):
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69
149.104.66[.]84
EarthWorm file hash (SHA256):
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584
Suspicious filesystem paths:
/var/tmp/linuxap
/var/tmp/linuxda
/var/tmp/linuxupdate
/tmp/R5
/var/R5
Attacker User-Agent string:
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ... Edg/138.0.0.0
Hunt for anomalous long-payload requests to portal endpoints, nginx worker processes spawning unexpected child processes, and outbound connections to unknown destinations on non-standard ports.
The Structural Problem CVE-2026-0300 Exposes
This exploited vulnerability is the fourteenth Palo Alto product flaw to appear in CISA's KEV catalog. In 2024 alone, seven PAN-OS vulnerabilities were exploited in the wild by state-sponsored actors. In November 2024, thousands of PAN-OS firewalls were compromised through a chained attack combining CVE-2024-0012 (authentication bypass) and CVE-2024-9474 (privilege escalation). The pattern is not coincidental — it is strategic.
"Nation-state threat actors engaged in cyber espionage have increasingly focused their efforts on edge-network technological assets, including firewalls, routers, IoT devices, hypervisors and various VPN solutions, which provide high-privilege access while often lacking the robust logging and security agents found on standard endpoints." — Unit 42 Threat Brief, May 6, 2026
The same targeting logic is visible across peer vulnerabilities disclosed in the same period: Ivanti EPMM in February 2026, BeyondTrust CVE-2026-1731, and multiple Fortinet flaws disclosed in May 2026. Edge appliances are the new high-value initial access target precisely because defenders have invested heavily in endpoint detection on laptops and servers while leaving firewalls, VPN concentrators, and authentication gateways comparatively blind.
Caitlin Condon, VP of Security Research at VulnCheck, captured the systemic risk plainly: "Management interfaces, login pages, and authentication portals have been common adversary targets for both opportunistic and targeted campaigns in recent years."
The disclosure itself carries a structural tension that Benjamin Harris, CEO and founder of watchTowr, described with precision: Palo Alto Networks' decision to proactively notify customers before patches were available was the right call in a difficult situation — but it carries an unavoidable tradeoff. Alerting defenders also "alerts everyone to the existence of a vulnerability," including every threat actor monitoring the same disclosure feeds. The simultaneous publication of a public proof-of-concept on May 6 — the same day as the CISA KEV listing — compresses that exposure window to near zero. What began as targeted exploitation by a single sophisticated cluster will not remain targeted for long.
What Comes Next
CISA's three-day federal remediation deadline — tighter than almost any prior KEV requirement — signals where the regulatory floor is moving. Private-sector organizations should treat the same urgency standard as the operational baseline, not a government-only concern.
The CIS/MS-ISAC Advisory 2026-043 rates CVE-2026-0300 HIGH for large and medium enterprises, mapping the required controls to CIS Safeguards 7.1, 7.2, 7.4, 7.5, 7.7, 12.1, 12.2, and 18.1 through 18.3 — the full gamut of patch management, network boundary defense, and application software security controls.
The checklist for every PAN-OS administrator is short and non-negotiable: verify whether your Authentication Portal is enabled and reachable from an untrusted network, apply the exposure restriction immediately, apply the hotfix for your branch as it ships, and treat any device that was reachable before May 5 as a candidate for forensic review. The attacker had twenty-six days. The question now is whether your organization was in the target set during those weeks — and whether you would have any way to know.