Palo Alto Networks has disclosed that attackers may have unsuccessfully attempted to exploit a recently disclosed critical security flaw as early as April 9, 2026.
The vulnerability in question, CVE-2026-0300 (CVSS score: 9.3/8.7), is a buffer overflow vulnerability in the User Identity Authentication Portal service of Palo Alto Networks PAN-OS Software that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending a specially crafted packet.
Although the fix is expected to be released starting May 13, 2026, we recommend that you protect access to the PAN-OS User Identity Authentication Portal by restricting access to the trusted zone or completely disabling it if it is not in use.
In an advisory issued Wednesday, the network security company said it is aware of limited exploitation of the flaw. CL-STA-1132 tracks activity based on suspected state-sponsored threat clusters of unknown origin.
“The attackers behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) on PAN-OS software. Successful exploitation allowed the attackers to inject shellcode into nginx worker processes,” Palo Alto Networks Unit 42 said.
The cybersecurity firm said it had observed unsuccessful exploitation attempts against PAN-OS devices starting April 9, 2026, and a week later, attackers were able to remotely execute code and inject shellcode against the appliance.
Once initial access was achieved, the attackers took steps to cover their tracks by clearing crash kernel messages, deleting nginx crash entries and nginx crash records, and deleting crash core dump files.
Post-exploitation activities conducted by the attackers included performing Active Directory (AD) enumeration and dropping additional payloads such as EarthWorm and ReverseSocks5 onto a second device on April 29, 2026. Both tools were previously used by various China-related hacking groups.
“Over the past five years, nation-state threat actors engaged in cyberespionage have increasingly focused on edge network technology assets such as firewalls, routers, IoT devices, hypervisors, and various VPN solutions. These technology assets provide highly privileged access but often lack the robust logging and security agents found on standard endpoints,” Unit 42 said.
“The attackers behind CL-STA-1132 relied on open source tools rather than proprietary malware, minimizing signature-based detection and facilitating seamless environmental integration. This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over several weeks, intentionally fell below the operational threshold of most automatic alert systems.”
Source link
