PAN-OS Captive Portal zero-day exploited since April 9 by suspected state actors

Palo Alto Networks disclosed CVE-2026-0300, an unauthenticated remote code execution flaw in the PAN-OS User-ID Authentication Portal caused by a buffer overflow that yields root on Internet-exposed PA-Series and VM-Series firewalls. Unit 42 is tracking exploitation as cluster CL-STA-1132, with probing observed from April 9 and successful RCE plus shellcode injection roughly a week later. Post-compromise, operators wiped crash kernel messages, nginx crash entries, and core dumps before deploying EarthWorm and ReverseSocks5 to establish SOCKS proxies and outbound tunnels through NAT — tooling previously seen in Volt Typhoon, APT41, and other Chinese-nexus operations.

Shadowserver counts more than 5,400 exposed VM-Series firewalls, concentrated in Asia and North America. Cloud NGFW and Panorama are unaffected, but patches are not expected until May 13. CISA added the CVE to KEV and gave federal civilian agencies until midnight May 9 to remediate. Until fixes ship, Palo Alto recommends restricting the Authentication Portal to trusted zones or disabling it entirely.

The incident continues the pattern of edge devices — firewalls, VPNs, hypervisors — being weaponized faster than vendors can ship fixes, largely because they lack the endpoint-grade telemetry that would catch post-exploitation behavior like the log scrubbing seen here.