State-sponsored hackers likely behind zero-day attacks on Palo Alto firewalls

Palo Alto Networks believes the in-the-wild exploitation of a zero-day vulnerability (CVE-2026-0300) in its firewalls is likely the work of state-sponsored threat actors.

A flaw with no patch (yet)

CVE-2026-0300 is a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software, and can be exploited by unauthenticated attackers sending specially crafted packets to internet-facing User-ID Authentication Portals.

The flaw affects Palo Alto Networks’ PA-Series and VM-Series firewalls, and the company is still working on delivering security updates.

In the meantime, it advised customers to either disable the vulnerable portal (if not required) or to restrict access to it to trusted zones only, and to “disable Response Pages in the Interface Management Profile attached to every L3 interface in any zone where untrusted/internet traffic can ingress.”

The company has also provided specific threat prevention / attack blocking signatures for customers with a Threat Prevention subscription, and released indicators of compromise organizations can use to check whether they’ve been targeted.

Three weeks of stealthy, multi-stage intrusion

Palo Alto’s Unit 42 researchers say that the initial (unsuccessful) probing of CVE-2026-0300 started on April 9, 2026.

About a week later, the attackers achieved remote code execution via CVE-2026-0300 and injected shellcode into the first device, then followed up with clearing crash kernel messages, deleting nginx crash entries and records, and removing crash core dump files to cover their tracks.

Four days after that, the attackers deployed multiple tools with root privileges, and then used the firewall’s service account credentials perform reconnaissance through Active Directory enumeration. Afterward, they covered their tracks again by deleting ptrace injection evidence from the audit log and removing the SetUserID (SUID) privilege escalation binary.

Finally, on April 29, they launched a SAML flood against that first device, so that a second device would be promoted to Active and inherit the same internet-facing traffic.

They repeated CVE-2026-0300 exploitation on that device, achieved RCE again, and downloaded the EarthWorm and ReverseSocks5 network tunneling tools, likely to establish persistent tunneling and proxy capabilities for continued access.

“EarthWorm has reportedly been used by the threat actor behind CL-STA-0046, Volt Typhoon, UAT-8337 and APT41,” the researchers noted. (All except the first one are suspected to be China-nexus APT groups.)

Palo Alto says that they are “aware of only limited exploitation of CVE-2026-0300 at this time,” but they didn’t identify the targets.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!