thehackernews.com 5/7/2026, 2:11:22 PM · via preferred

Palo Alto Networks Warns of Exploits in CVE-2026-0300 PANOS

Developing story vulnerability 12 articles tracked
Palo Alto PAN-OS Captive Portal zero‑day (CVE-2026-0300) exploited in the wild
CyberSIXT Evidence Panel
CISA KEV Listed in KEV
Patch Patch Available

PALO Alto Networks has disclosed that threat actors may have attempted to exploit a recently disclosed critical flaw as early as 9 April 2026. The vulnerability, CVE-2026-0300, is a buffer overflow in the PAN-OS User-ID Authentication Portal that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets.

Fixes are expected to be released from 13 May 2026, and customers are advised to secure access to the portal by restricting it to trusted zones or disabling it if not used. In the advisory, the network security company said it is aware of limited exploitation and is tracking the activity under CL-STA-1132, a suspected state-sponsored threat cluster of unknown provenance, according to Unit 42.

The attackers reportedly achieved unauthenticated remote code execution, injecting shellcode into an nginx worker process, and then took steps to cover their tracks by clearing crash logs and core dumps. Post-exploitation activity included AD enumeration and dropping EarthWorm and ReverseSocks5 against a second device on 29 April 2026.

View Primary Source Via thehackernews.com

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline