Palo Alto firewall zero-day has been exploited since April to gain root access
7 min. read 
Published on
A critical Palo Alto Networks PAN-OS zero-day has been exploited in the wild since April 2026, giving attackers a path to unauthenticated remote code execution with root privileges on affected firewalls.
The flaw is tracked as CVE-2026-0300 and affects the User-ID Authentication Portal, also known as Captive Portal, in PAN-OS. Attackers can exploit it by sending specially crafted packets to vulnerable PA-Series and VM-Series firewalls.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Palo Alto Networks says exploitation remains limited, but Unit 42 is tracking the activity as CL-STA-1132, a likely state-sponsored cluster. The campaign shows why exposed firewall services need emergency attention, even when exploitation appears targeted.
What CVE-2026-0300 allows attackers to do
CVE-2026-0300 is a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Palo Alto Networks rates it critical with a CVSS 4.0 score of 9.3.
The bug requires no authentication and no user interaction. If the affected portal is reachable from the internet or an untrusted network, an attacker can attempt remote code execution directly against the firewall.
Successful exploitation gives attackers root privileges. That can allow them to run commands, manipulate files, hide activity, deploy tools, and use the firewall as a pivot point into the internal network.
At a glance
| Item | Details |
|---|---|
| CVE | CVE-2026-0300 |
| Affected product | Palo Alto Networks PAN-OS |
| Affected devices | PA-Series and VM-Series firewalls |
| Affected feature | User-ID Authentication Portal, also known as Captive Portal |
| Severity | Critical, CVSS 4.0 score of 9.3 |
| Impact | Unauthenticated remote code execution with root privileges |
| Exploitation status | Limited exploitation observed in the wild |
| Threat cluster | CL-STA-1132 |
Which Palo Alto products are affected
The vulnerability applies only to PA-Series and VM-Series firewalls configured to use the User-ID Authentication Portal. Exposure depends on configuration, not only the installed PAN-OS version.
Palo Alto Networks says customers are impacted when the portal is enabled and response pages are enabled on an external or internet-accessible interface. Prisma Access, Cloud NGFW, and Panorama are not affected.
The risk becomes highest when the portal is reachable from the public internet or another untrusted network. Restricting access to trusted internal zones greatly reduces the attack surface.
Affected PAN-OS releases and fix schedule
| PAN-OS branch | Affected versions | Fixed versions or expected fixes |
|---|---|---|
| PAN-OS 12.1 | Versions below 12.1.4-h5 and 12.1.7 | 12.1.4-h5 expected May 13, 2026, and 12.1.7 expected May 28, 2026 |
| PAN-OS 11.2 | Versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12 | Fixes expected between May 13 and May 28, 2026 |
| PAN-OS 11.1 | Versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15 | Fixes expected between May 13 and May 28, 2026 |
| PAN-OS 10.2 | Versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6 | Fixes expected between May 13 and May 28, 2026 |
How the attacks unfolded
Unit 42 says unsuccessful exploitation attempts began on April 9, 2026. About a week later, the attackers achieved remote code execution on a PAN-OS device and injected shellcode into an nginx worker process.
After the compromise, the attackers deleted crash kernel messages, nginx crash entries, crash records, and core dump files. That cleanup suggests the operators understood the appliance well and wanted to make forensic review harder.
Four days after initial compromise, the attackers deployed tools with root privileges and enumerated Active Directory using service account credentials likely obtained from the firewall. They targeted the domain root and DomainDnsZones during this phase.
April 29 activity expanded the compromise
On April 29, 2026, the attackers used a SAML flood against the first targeted device. This caused a second device to become Active and inherit the same internet-facing traffic configuration.
The attackers then achieved remote code execution on the second device. They downloaded EarthWorm and ReverseSocks5, two public tunneling tools that can help route traffic through compromised systems.
This stage shows how a firewall compromise can turn into a wider network access problem. Once attackers create tunnels from an edge device, they can use that position to reach internal systems more quietly.
Tools and techniques observed
| Tool or action | Observed purpose | Defender concern |
|---|---|---|
| Shellcode injection into nginx | Post-exploitation execution inside a running process | Can make malicious activity harder to separate from normal service behavior |
| EarthWorm | SOCKS5 tunneling and multi-hop traffic routing | Can help attackers pivot across restricted network boundaries |
| ReverseSocks5 | Outbound SOCKS5 proxy tunnel | Can bypass inbound firewall and NAT restrictions |
| Active Directory enumeration | Discovery of domain resources through obtained credentials | Can support lateral movement and identity abuse |
| Log deletion | Removal of crash, audit, nginx, and core dump evidence | Can reduce visibility during incident response |
Why attackers used public tools
The attackers relied on open-source tools instead of custom malware. This choice can reduce signature-based detection because the same tools may also appear in legitimate administration or testing contexts.
EarthWorm supports SOCKS5 proxying, reverse tunnels, port forwarding, and chained network paths. Unit 42 says it has appeared in activity tied to other threat clusters, including Volt Typhoon and APT41.
ReverseSocks5 works by creating an outbound connection from the compromised system to an attacker-controlled controller. Once connected, it can route traffic into the target’s internal network through a SOCKS5 proxy tunnel.
Immediate mitigation steps
- Check whether User-ID Authentication Portal is enabled.
- Confirm whether response pages are enabled on external or internet-accessible Layer 3 interfaces.
- Restrict User-ID Authentication Portal access to trusted internal zones only.
- Disable Response Pages on interfaces that can receive untrusted or internet-facing traffic.
- Disable User-ID Authentication Portal entirely if the organization does not require it.
- Enable Threat ID 510019 if the organization has Advanced Threat Prevention and runs PAN-OS 11.1 or later.
- Prepare to install fixed PAN-OS releases as soon as the relevant branch update becomes available.
- Investigate exposed devices for shellcode injection, tunneling tools, deleted logs, and unusual Active Directory activity.
Indicators of compromise
| Indicator | Type | Context |
|---|---|---|
| 67.206.213[.]86 | IP address | Attacker infrastructure |
| 136.0.8[.]48 | IP address | Attacker infrastructure |
| 146.70.100[.]69 | IP address | Command-and-control staging server |
| 149.104.66[.]84 | IP address | Attacker infrastructure |
| hxxp[:]//146.70.100[.]69:8000/php_sess | URL | EarthWorm download URL |
| hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz | URL | ReverseSocks5 download URL |
| e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 | SHA-256 | EarthWorm binary |
| /var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate | File paths | Tunneling tool artifacts |
| /tmp/.c | File path | Unidentified Python script |
| /tmp/R5, /var/R5 | File paths | ReverseSocks5 binary paths |
What defenders should investigate
Organizations with exposed Authentication Portals should not stop at mitigation. Since the attacks began before public disclosure, security teams should review whether affected appliances were already touched.
Important signs include missing logs, unexpected crash cleanup, new or unknown files in temporary paths, unusual outbound connections, unknown SOCKS proxy activity, and Active Directory enumeration from firewall-related accounts.
Defenders should also rotate credentials that the firewall used or stored if compromise remains possible. If attackers obtained service account credentials, they may keep access even after the portal exposure changes.
Why edge devices remain attractive targets
Firewalls, VPNs, routers, and other edge systems sit in valuable positions. They face the internet, process trusted traffic, and often lack the same endpoint detection coverage found on normal workstations and servers.
That makes them useful for stealthy access. Attackers can abuse them for tunneling, credential collection, lateral movement, and traffic interception.
CVE-2026-0300 fits this broader pattern. The vulnerability gives attackers root access on a security appliance, and the observed campaign shows how quickly that access can move from exploitation to internal discovery.
FAQ
Administrators should restrict User-ID Authentication Portal access to trusted internal zones, disable Response Pages on untrusted interfaces, or disable the portal if it is not required.
CVE-2026-0300 is a critical buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. It allows unauthenticated remote code execution with root privileges on affected PA-Series and VM-Series firewalls.
Yes. Palo Alto Networks and Unit 42 say limited exploitation has been observed, with activity beginning as early as April 9, 2026.
Prisma Access, Cloud NGFW, and Panorama are not affected by CVE-2026-0300.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages