Palo Alto Networks Firewall Zero-Day RCE Vulnerability Exploited in the Wild Since April - CyberSecurityNews

HomeCyber Security News Palo Alto Networks Firewall Zero-Day RCE Vulnerability Exploited in the Wild Since April By Guru Baran May 7, 2026 A critical zero-day vulnerability in Palo Alto Networks PAN-OS software has been actively exploited by a likely state-sponsored threat actor since at least April 2026, the company revealed in a security advisory published on May 6, 2026. Tracked as CVE-2026-0300, the flaw is a buffer overflow vulnerability residing in the User-ID Authentication Portal, also known as the Captive Portal service of PAN-OS, and it allows an unauthenticated remote attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted network packets. The vulnerability enables unauthenticated remote code execution (RCE) against internet-facing PAN-OS deployments where the User-ID Authentication Portal is exposed to untrusted networks. Upon successful exploitation, attackers can inject shellcode directly into an nginx worker process, granting them deep, persistent access to the underlying system. Prisma Access, Cloud NGFW, and Panorama appliances are not affected. Risk is significantly elevated when the Authentication Portal is publicly reachable, making network segmentation and access restriction the most immediate mitigation step. Palo Alto Networks’ Unit 42 threat intelligence team is tracking exploitation activity under the cluster designation CL-STA-1132, attributed to a likely state-sponsored actor. The campaign timeline reveals a deliberate, methodical approach beginning April 9, 2026, when unsuccessful exploitation attempts were logged against a PAN-OS device. One week later, the attackers successfully achieved RCE and injected shellcode. Immediately following the compromise, they conducted aggressive log destruction, clearing crash kernel messages, deleting nginx crash entries and records, and removing crash core dump files to impair forensic detection. Four days after initial compromise, the attackers deployed multiple tools with root privileges and began Active Directory enumeration using service account credentials harvested from the firewall, targeting the domain root and DomainDnsZones. Evidence of ptrace injection and SetUserID (SUID) privilege-escalation binaries was subsequently deleted from audit logs to further reduce their footprint. On April 29, 2026, the attackers executed a SAML flood attack against the first compromised device, causing a secondary device to be promoted to Active status, inheriting the same internet-facing traffic configuration. RCE was then achieved on this second device by downloading and deploying two open-source tunneling tools. Earthworm and ReverseSocks5 for Post-Exploitation The attackers relied exclusively on publicly available tooling rather than on proprietary malware, a deliberate choice that minimized the likelihood of signature-based detection. EarthWorm, an open-source network tunneling tool written in C supporting Windows, Linux, macOS, and ARM/MIPS platforms, was used to establish covert SOCKS5 proxy tunnels and multi-hop cascaded network paths (MITRE ATT&CK T1090, T1572). Earthworm has previously been linked to threat clusters including Volt Typhoon, APT41, UAT-8337, and CL-STA-0046. ReverseSocks5 was used to establish outbound connections from compromised devices to an attacker-controlled controller, bypassing firewall and NAT restrictions to route traffic into the internal network via a SOCKS5 proxy tunnel. Organizations should take one of the following immediate actions. First, restrict User-ID Authentication Portal access exclusively to trusted internal zones, and disable Response Pages in the Interface Management Profile on any L3 interface reachable from untrusted or internet-facing traffic. Second, if the Authentication Portal is not operationally required, disable it entirely. Indicators of Compromise Indicator Type Description 67.206.213[.]86 IP Address Attacker Infrastructure 136.0.8[.]48 IP Address Attacker Infrastructure 146.70.100[.]69 IP Address C2 Staging Server 149.104.66[.]84 IP Address Attacker Infrastructure hxxp[:]//146.70.100[.]69:8000/php_sess URL EarthWorm Download URL hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz URL ReverseSocks5 Download URL e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 SHA-256 Hash EarthWorm Binary Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0 User Agent Attacker User Agent String /var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate File Path Tunneling Tool Artifacts /tmp/.c File Path Unidentified Python Script /tmp/R5, /var/R5 File Path ReverseSocks5 Binary Paths Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Cybercriminals now enter through your suppliers instead of your front door – Free Webinar Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Critical PHP SOAP Extension Vulnerabilities Enables Remote Code Execution Attacks New PamDOORa Backdoor Attacking Linux Systems to Steal SSH Credentials Fragnesia Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released Let’s Encrypt Halts Certificate Issuance After Cross-Signed Root Certificate Incident WatchGuard Agent Vulnerabilities Let Attackers Grant Full SYSTEM Privileges on Windows Latest News Cyber Security Fragnesia Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released Cyber Security News ClickFix Evolves with 10-Year-Old Open-Source Python SOCKS5 Proxy Cyber Security News Critical SandboxJS Escape Vulnerability Enables Host Takeover Cyber Security News iOS 26.5 Brings End-to-end Encrypted RCS Messaging Between iPhone and Android Cyber Security News New Exim BDAT GnuTLS Vulnerability Enables Code Execution Attacks