Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking

Palo Alto Networks has shared some information on the exploitation of the recently disclosed zero-day vulnerability affecting some of its firewalls. The cybersecurity firm has not directly attributed the attack to a specific threat actor or country, but the evidence seems to point to China. In an advisory published on May 6, Palo Alto Networks informed customers about CVE-2026-0300, a vulnerability affecting the User-ID Authentication Portal of PA and VM series firewalls.  The company said the flaw, which allows unauthenticated remote code execution with root privileges, had been exploited as a zero-day.  Patches are expected to be released on May 13 and May 28, and in the meantime the company has shared mitigations and workarounds to prevent exploitation.  Shortly after CVE-2026-0300 was disclosed, Palo Alto Networks published a blog post describing the vulnerability’s exploitation in the wild.  According to the company, a “likely state-sponsored” threat group tracked as CL-STA-1132 was behind the attack. First exploitation attempts were observed on April 9, but were unsuccessful. The vulnerability was successfully leveraged one week later for remote code execution and Nginx worker process shellcode injection. “Following the compromise, the attackers immediately conducted log cleanup to mitigate detection by clearing crash kernel messages, deleting nginx crash entries and nginx crash records, as well as removing crash core dump files,” Palo Alto explained. “The attackers deployed a number of tools with root privileges four days later, before conducting Active Directory (AD) enumeration using the firewall’s service account credentials to target domain root and DomainDnsZones. Following enumeration, the attackers deleted ptrace injection evidence from the audit log and deleted the SetUserID (SUID) privilege escalation binary,” it added. The attackers deployed the open source Earthworm and ReverseSocks5 tools. The former is a network tunneling tool that enables attackers to establish a covert communications channel, while the latter allows them to bypass firewalls and NAT.  The cybersecurity firm has stopped short of attributing the attacks to a specific country, but the evidence it has presented points to China as the main suspect.  Earthworm and ReverseSocks5 have predominantly been used by Chinese APT groups, including Volt Typhoon and APT41. Log destruction has also often been observed during attacks attributed to Chinese threat actors.  Active Directory targeting is also a hallmark of Chinese groups, though other nation-state hackers and cybercriminals use this technique as well.  “The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration,” Palo Alto noted. “This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems.” Related: Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months Related: Microsoft Patches Exploited SharePoint Zero-Day and 160 Other Vulnerabilities Related: Adobe Patches Reader Zero-Day Exploited for Months WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Attackers Could Exploit AI Vision Models Using Imperceptible Image Changes Claude AI Guided Hackers Toward OT Assets During Water Utility Intrusion Romanian Man Extradited to US for Role in Hacking Scheme 17 Years Ago CISA Launches ‘CI Fortify’ to Prepare Critical Infrastructure for Geopolitical Cyber Conflict Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls Microsoft Warns of Sophisticated Phishing Campaign Targeting US Organizations Critical Remote Code Execution Vulnerability Patched in Android WhatsApp Discloses File Spoofing, Arbitrary URL Scheme Vulnerabilities Latest News In Other News: Train Hacker Arrested, PamDOORa Linux Backdoor, New CISA Director Frontrunner Polish Security Agency Reports ICS Breaches at Five Water Treatment Plants AI Firm Braintrust Prompts API Key Rotation After Data Breach Cyberattack Hits Canvas System Used by Thousands of Schools as Finals Loom ‘PCPJack’ Worm Removes TeamPCP Infections, Steals Credentials Ransomware Group Takes Credit for Trellix Hack Vulnerability in Claude Extension for Chrome Exposes AI Agent to Takeover Ivanti Patches EPMM Zero-Day Exploited in Targeted Attacks Trending Webinar: ROSI For CPS Security Programs May 13, 2026 In cyber-physical systems (CPS), just one hour of downtime can outweigh an entire annual security budget. Learn how to master the Return on Security Investment (ROSI) to align security goals with the bottom-line priorities. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Malwarebytes has named Chung Ip as Chief Financial Officer. Semperis has appointed John Podboy as Chief Information Security Officer. Randy Menon has become Chief Product and Marketing Officer at One Identity. More People On The Move Expert Insights The Mythos Moment: Enterprises Must Fight Agents With Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense In The Age Of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Email