TL;DR
A zero-day vulnerability in Palo Alto Networks’ PAN-OS firewalls has been exploited by suspected state-sponsored actors for nearly a month. Palo Alto has issued warnings and is working on patches, while attackers deployed tunneling tools post-compromise.
Suspected state-sponsored hackers have been exploiting a critical zero-day vulnerability in Palo Alto Networks’ PAN-OS firewalls for nearly a month, with confirmed successful remote code execution attacks beginning April 16, 2026. This development raises significant security concerns for organizations relying on these firewalls to protect their networks.
Palo Alto Networks issued a security alert warning that a zero-day vulnerability, tracked as CVE-2026-0300, has been exploited in the wild since early April. The flaw affects the PAN-OS User-ID Authentication Portal, also known as the Captive Portal, due to a buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code with root privileges on exposed PA-Series and VM-Series firewalls.
According to Palo Alto Networks, the attackers began attempting exploitation around April 9, 2026, with initial attempts unsuccessful. By April 16, they succeeded in executing remote code, injecting shellcode, and immediately took steps to cover their tracks by deleting crash logs and core dump files. Post-compromise, the attackers deployed open-source tools Earthworm and ReverseSocks5, which can be used to establish covert communication channels and bypass network restrictions.
Security researchers from Unit 42 have linked this activity to a cluster of threat actors believed to be state-sponsored, designated as CL-STA-1132. Shadowserver reports over 5,400 exposed PAN-OS VM-Series firewalls, mostly in Asia and North America, are vulnerable to this attack vector. Palo Alto Networks has clarified that the flaw does not impact their Cloud NGFW or Panorama products.
Why It Matters
This vulnerability’s exploitation is significant because it enables attackers to gain persistent, root-level access to firewalls that are often exposed directly to the internet. The deployment of tunneling tools like Earthworm indicates the attackers’ intent to establish covert command channels, potentially enabling long-term espionage, data exfiltration, or network disruption. The attack pattern underscores the increasing targeting of network edge devices, which often lack comprehensive security monitoring and timely updates, making them attractive targets for sophisticated threat groups.
Furthermore, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-0300 to its Known Exploited Vulnerabilities catalog and mandated federal agencies to mitigate the risk by May 9, 2026. This incident exemplifies the broader trend of nation-state actors leveraging zero-days to compromise critical infrastructure and underscores the importance of rapid patching and network segmentation to mitigate potential damage.
4 Pcs Heat Transfer Security Reflective Security Patch Heat Press DIY Design Iron on Shirts Jacket Vest for Vest Jacket Back, Small (5.6 x 1.5 in), Large (10.7 x 2.8 in)
Package Contents: The package includes 2 reflective patches in the large size (10.7 x 2.8 in) and 2…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
The vulnerability was discovered in the PAN-OS User-ID Authentication Portal, a component used for user authentication and device identification. The flaw stems from a buffer overflow allowing unauthenticated remote code execution, which is a critical severity vulnerability. Palo Alto Networks initially warned customers on April 30, 2026, about the potential for exploitation and advised immediate access restrictions or portal disablement until patches are released. The company announced that patches are scheduled for release on May 13, 2026.
This zero-day follows a series of similar high-profile vulnerabilities exploited by advanced threat actors, including recent campaigns targeting network devices with unpatched or outdated firmware. The attack campaign aligns with the tactics of known state-sponsored groups, such as Volt Typhoon and APT41, which have historically targeted network infrastructure for espionage and disruption.
“We are aware of limited exploitation of CVE-2026-0300 at this time. The attackers exploited the vulnerability to achieve remote code execution and conducted log cleanup to evade detection.”
— Palo Alto Networks spokesperson
“The threat activity linked to CVE-2026-0300 appears to be orchestrated by a likely state-sponsored group, leveraging the vulnerability to establish persistent access.”
— Unit 42 security researcher
“We have added CVE-2026-0300 to our KEV catalog and are working with federal agencies to mitigate the threat by May 9, 2026.”
— CISA spokesperson
Firewalla: Cyber Security Firewall for Home & Business, Protect Network from Malware and Hacking | Smart Parental Control | Block Ads | VPN Server and Client | No Monthly Fee (Purple SE)
COMPATIBILITY – This is * Firewalla Purple SE*. The IPS functionality is limited to 500 Mbits. This device…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It remains unclear how widespread the exploitation is beyond the known cluster, and whether additional threat groups are involved. The full scope of affected organizations and the extent of data compromised are still under investigation. Palo Alto Networks has not disclosed the full technical details of the vulnerability, and the timeline for patch deployment may be subject to delays.
Fortinet FortiGate-50G Firewall for Branch and Small Offices with 1-Year FortiGuard AI-Powered Enterprise Security Services (FG-50G-BDL-809-12)
Built on a purposed-built secure processor, this compact network firewall delivers the highest level of security performance and…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Palo Alto Networks plans to release security patches on May 13, 2026. Organizations using affected firewalls are advised to implement immediate mitigation measures, such as restricting access to the User-ID Authentication Portal and disabling it if possible. Further threat activity may emerge as attackers attempt to exploit unpatched systems or leverage the tools deployed post-compromise.
DTECH DB9 to RJ45 Console Cable Cisco Device Management Serial Adapter 72-3383-01 CAB-CONSOLE-RJ45 (6 Feet, Blue)
DB9 to RJ45 console management cable connects your PC laptop to Cisco router, switch, firewall, wireless device and…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is CVE-2026-0300?
CVE-2026-0300 is a critical buffer overflow vulnerability in Palo Alto Networks’ PAN-OS User-ID Authentication Portal that allows unauthenticated remote code execution.
Who is exploiting this vulnerability?
Suspected state-sponsored threat actors, linked to a cluster called CL-STA-1132, have been exploiting this flaw since early April 2026.
How can organizations protect themselves now?
Organizations should restrict access to the User-ID Authentication Portal, disable it if possible, and monitor their firewalls for signs of compromise until patches are released on May 13, 2026.
Will there be patches available soon?
Palo Alto Networks has announced patches will be available starting May 13, 2026. In the meantime, mitigation steps are strongly advised.
What are the potential risks if unpatched?
Unpatched firewalls are vulnerable to remote code execution, which could enable attackers to establish persistent access, exfiltrate data, or disrupt network operations.
