Palo Alto Networks warns state-linked cluster behind zero-day exploitation - Cybersecurity Dive

Palo Alto Networks warns state-linked cluster behind zero-day exploitation A patch for the flaw, which hackers began targeting in early April, won’t be ready for another week. Published May 7, 2026 David Jones Reporter Share License Add us on Google Cybersecurity professionals assemble for a presentation at Palo Alto Networks’ booth on the show floor on April 27, 2023, at the RSA Conference in San Francisco. A suspected state linked threat cluster is linked to exploitation of a critical vulnerability in the company’s Captive Portal, beginning in April 2026. Matt Kapko/Cybersecurity Dive Palo Alto Networks warned that a suspected state-sponsored threat cluster targeted a critical vulnerability in the User ID Authentication Portal service of PAN-OS software, according to a blog post published Wednesday. The vulnerability, tracked as CVE-2026-0300, is a buffer overflow vulnerability that allows attackers to execute arbitrary code on the company’s PA Series and VM Series firewalls.  The cybersecurity company issued an advisory on Tuesday warning that a limited number of customers had been exploited in cases where devices were exposed to the public internet or exposed to untrusted IP addresses.  The company is “working to release software fixes, with the first updates expected to be available by May 13, according to a spokesperson. The Cybersecurity and Infrastructure Security Agency on Wednesday added the flaw to its Known Exploited Vulnerabilities catalog.  The initial exploitation attempts against a PAN-OS device were traced back to April 9, but were unsuccessful, according to researchers at PAN Unit 42. A week later, attackers broke through and injected shellcode into the device. The cluster is being tracked as CL-STA-1132, but researchers did not provide any details about the specific country of origin or details behind the attackers.  Following the initial compromise, attackers worked to mitigate detection efforts by clearing crash kernel messages, deleting nginx crash entries and crash records and removing crash core dump files, said Unit 42 in its blog post.  By late April, the attackers conducted a Security Assertion Markup Language flood against the previously targeted device, read the blog post.   The hackers also deployed publicly available tunneling tools, including EarthWorm and ReverseSocks5. Add us on Google Share PURCHASE LICENSING RIGHTS Filed Under: Vulnerability, Threats