SECURITYWEEK reports that Palo Alto Networks has disclosed exploitation of the recently disclosed zero-day affecting its PA and VM series firewalls, tracked as CVE-2026-0300, with unauthenticated remote code execution and root privileges. The firm said patches are slated for May 13 and May 28, while providing mitigations in the interim.
A blog post described the in-the-wild exploitation, and Palo Alto notes a “likely state-sponsored” threat group, tracked as CL-STA-1132, was behind the attack, with first exploitation attempts seen on April 9 and successful remote code execution a week later accompanied by Nginx worker process shellcode injection.
Following compromise, the attackers allegedly cleaned logs, deleting nginx crash entries and core dumps, and four days later deployed tools with root privileges before conducting Active Directory enumeration using the firewall’s service account credentials. The attackers reportedly used Earthworm and ReverseSocks5 to establish covert channels and bypass firewalls, with the report emphasising that the activity aligns with Chinese state hacking hallmarks, though Palo Alto stops short of a direct country attribution.