Palo Alto Networks has issued an urgent warning regarding a critical zero-day vulnerability in its PAN-OS software, the operating system powering its industry-leading firewalls. The flaw, which allows for unauthenticated remote code execution with root privileges, is currently being exploited in highly targeted, likely state-sponsored attacks.
The vulnerability, tracked as CVE-2026-0300, carries a near-maximum CVSS severity rating of 9.3 out of 10. While the company is preparing a rollout of official patches, the discovery of active exploitation has put security teams worldwide on high alert.
The Vulnerability: Buffer Overflow in the Captive Portal
The flaw is a buffer overflow vulnerability located in the User-ID™ Authentication Portal (commonly known as the Captive Portal).
- Impacted Systems: PA-Series (hardware) and VM-Series (virtual) firewalls.
- Safe Systems: Prisma Access, Cloud NGFW, and Panorama appliances are currently reported as not affected.
- The Exploit: Attackers can bypass authentication to execute arbitrary code. Because the process runs with root privileges, a successful exploit grants the attacker total control over the firewall device.
State-Sponsored Tactics: The CL-STA-1132 Campaign
Palo Alto Networks’ security researchers believe the activity is the work of a sophisticated, state-sponsored threat group tracked as CL-STA-1132, with suspected links to China.
The Attack Pattern:
- Initial Access: Exploitation of CVE-2026-0300 to gain a foothold.
- Network Pivoting: Attackers deployed public tunneling tools like EarthWorm and ReverseSocks5 to move traffic through the compromised network.
- Credential Theft: The group used credentials harvested from the firewall to query Active Directory, seeking to map out the internal network and escalate privileges.
- Anti-Forensics: To stay undetected, the actors systematically deleted logs and evidence of their presence before moving deeper into the victim’s infrastructure.
Are You at Risk?
Customers are only vulnerable if both of the following conditions are met:
- The User-ID Authentication Portal is enabled.
- The firewall is configured to show response pages on any Layer 3 interface that accepts untrusted traffic from the internet.
Immediate Mitigation and Patch Schedule
Official patches are being released in phases. If you cannot wait for the patch window, Palo Alto Networks recommends restricting access to the User-ID Authentication Portal to trusted internal IP addresses only.
Expected Patch Timeline:
- Phase 1: May 13, 2026 (Initial critical fixes).
- Phase 2: May 28, 2026 (Secondary maintenance releases).
Recommended Actions:
- Disable Response Pages: Disable the “Response Pages” feature on all internet-facing (untrusted) interfaces.
- Monitor for IoCs: Watch for the execution of tunneling tools (EarthWorm/ReverseSocks5) and unusual LDAP/Active Directory queries originating from your firewall management IP.
- Apply Patches Immediately: Prioritize the May 13th update for all PA-Series and VM-Series deployments.
