PALO Alto Networks has released patches for a critical buffer overflow in its PAN‑OS User‑ID Authentication Portal after seeing the flaw used in the wild to drop EarthWorm and ReverseSocks5 payloads. The vulnerability, tracked as CVE-2026-0300, allows an unauthenticated attacker to obtain root privileges on exposed firewalls.
The flaw identified as CVE-2026-0300 carries a CVSS v3 score of 9.3 and stems from insufficient input validation in the User‑ID portal, where specially crafted packets can trigger a stack‑based overflow. Affected releases include PAN‑OS 12.1, 11.2 and 11.1 on both hardware and VM‑series firewalls.
According to Unit 42, the first exploitation attempts were observed on 9 April 2026, with successful remote code execution reported a week later. Attackers leveraged EarthWorm to establish covert tunnels, used ReverseSocks5 for proxying, enumerated Active Directory with stolen credentials and cleared nginx logs to hide their activity.
The activity has been attributed to the threat cluster CL-STA-1132, which Unit 42 describes as likely state‑sponsored and linked to China‑based groups such as APT41 and Volt Typhoon. The U.S. CISA has added the flaw to its Known Exploited Vulnerabilities catalogue, confirming limited but active use in the wild.
Defenders should apply the patches released on 13 May and 28 May without delay; if immediate patching is not possible, the User‑ID portal should be disabled or restricted to trusted internal zones via firewall policy. Organizations are also advised to review authentication logs for abnormal spikes and to block outbound tunnelling protocols commonly abused by EarthWorm.
Additional hardening steps include enabling strict log retention, monitoring for anomalous nginx worker process behaviour and ensuring management interfaces are not reachable from the internet. Applying network segmentation and limiting lateral movement can further reduce the impact of any future compromise.