PALO Alto Networks has disclosed that threat actors may have attempted to exploit a recently disclosed critical flaw as early as 9 April 2026. The vulnerability, CVE-2026-0300, is a buffer overflow in the PAN-OS User-ID Authentication Portal that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets.
Fixes are expected to be released from 13 May 2026, and customers are advised to secure access to the portal by restricting it to trusted zones or disabling it if not used. In the advisory, the network security company said it is aware of limited exploitation and is tracking the activity under CL-STA-1132, a suspected state-sponsored threat cluster of unknown provenance, according to Unit 42.
The attackers reportedly achieved unauthenticated remote code execution, injecting shellcode into an nginx worker process, and then took steps to cover their tracks by clearing crash logs and core dumps. Post-exploitation activity included AD enumeration and dropping EarthWorm and ReverseSocks5 against a second device on 29 April 2026.