NATION-STATE actors have been exploiting the PAN-OS zero-day CVE-2026-0300 for weeks, gaining unauthenticated remote code execution and root access on exposed PAN-OS firewalls. According to Palo Alto Networks, after exploitation attackers used tunneling tools such as EarthWorm and ReverseSocks5, enumerated Active Directory with stolen credentials, and deleted logs to obscure the intrusion.
The advisory notes that EarthWorm has been linked to China-linked groups including APT41, CL-STA-0046 and Volt Typhoon, and that the vulnerability is a buffer overflow affecting the User-ID portal when exposed to the internet. The issue is being exploited in a limited way, with Palo Alto Networks warning that the risk is greatly reduced for organisations following basic best practices, and that fixes are expected from 13 May 2026 for PA-Series and VM-Series firewalls using the portal.
EarthWorm and ReverseSocks5 are open-source tools used to establish covert channels, with the report emphasising that threat activity has been observed over a multi-week period and involved non-persistent access windows to maintain long-term residency on edge infrastructure.