PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage
Source: The Hacker News
Overview
Palo Alto Networks disclosed that threat actors attempted to exploit a critical security flaw in PAN‑OS as early as April 9, 2026. The vulnerability, CVE‑2026‑0300, is a buffer overflow in the User‑ID Authentication Portal service. It allows an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets. The CVSS score is reported as 9.3/8.7.
Mitigation
- Restrict or disable the PAN‑OS User‑ID Authentication Portal if it is not required.
- Disable Response Pages in the Interface Management Profile for any L3 interface that can receive untrusted or Internet traffic.
- See the official guidance for disabling Response Pages:
- Interface Management Profile documentation:
- For customers with Advanced Threat Prevention, enable Threat ID 510019 (Applications and Threats content version 9097‑10022) to block exploitation attempts.
Patches are expected to be released starting May 13, 2026.
Exploitation Details
- The advisory (issued Wednesday) indicates limited exploitation of the flaw, tracked under CL‑STA‑1132, a suspected state‑sponsored threat cluster.
- Attackers achieved unauthenticated remote code execution (RCE) and injected shellcode into an nginx worker process.
Source: Palo Alto Networks Unit 42 – - Initial exploitation attempts were observed on April 9, 2026, with successful RCE occurring a week later.
Post‑Exploitation Activities
- Cleanup – Threat actors cleared crash kernel messages, deleted nginx crash entries and core dump files to hide their presence.
- Lateral Movement – Conducted Active Directory enumeration and dropped additional payloads:
- EarthWorm –
- ReverseSocks5 –
These tools were deployed on a second device on April 29, 2026 and have been linked to China‑nexus hacking groups.
Threat Actor Attribution
Unit 42 notes that over the past five years, nation‑state actors have increasingly targeted edge‑network assets (firewalls, routers, IoT devices, hypervisors, VPN solutions) because they provide high‑privilege access with limited logging.
The CL‑STA‑1132 group relied on open‑source tooling rather than proprietary malware, reducing the likelihood of signature‑based detection and allowing seamless integration into compromised environments. Their operational cadence involved intermittent interactive sessions over multiple weeks, staying below typical automated alert thresholds.
References
- CVE‑2026‑0300 details:
- Unit 42 advisory:
- Response Pages documentation:
- Interface Management Profile documentation:
- EarthWorm article:
- ReverseSocks5 article: