PAN-OS RCE Exploit Actively Exploited for Root Access and Surveillance Operations
- May 8
- 3 min read
Key Findings
CVE-2026-0300, a critical buffer overflow in PAN-OS User-ID Authentication Portal, is under active exploitation by suspected state-sponsored actors
Unsuccessful exploitation attempts began April 9, 2026, with successful remote code execution achieved a week later
Attackers achieved root-level access and injected shellcode into nginx worker processes
Post-exploitation activities included Active Directory enumeration and deployment of EarthWorm and ReverseSocks5 tools
Threat activity tracked as CL-STA-1132 with suspected China-nexus attribution
Patches expected May 13, 2026; immediate mitigation recommended
Background
Palo Alto Networks disclosed a critical security vulnerability in its PAN-OS software that has become the target of active exploitation. CVE-2026-0300 carries a CVSS score of 9.3/8.7 and exists within the User-ID Authentication Portal service. The flaw is a buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code with root privileges by crafting and sending specially designed packets to affected systems.
Exploitation Timeline and Methods
The threat actors began their attack campaign as early as April 9, 2026, though initial attempts were unsuccessful. By mid-April, they achieved successful remote code execution against a PAN-OS device. The attackers demonstrated technical sophistication by injecting shellcode directly into an nginx worker process, establishing a foothold on the compromised appliance.
Recognizing the importance of operational security, the adversaries immediately took steps to cover their tracks by clearing crash kernel messages, deleting nginx crash entries and records, and removing crash core dump files from the system.
Post-Exploitation Activity and Lateral Movement
Following initial compromise, the threat actors expanded their presence within the victim network. On April 29, 2026, they conducted Active Directory enumeration to map the network environment and identify additional targets. The attackers then deployed secondary payloads including EarthWorm and ReverseSocks5 against a second device on the network.
Both tools have established histories of use by China-nexus hacking groups, though Palo Alto Networks has not formally attributed the activity to a specific known threat actor. The use of open-source tooling rather than custom malware made detection more difficult, as signature-based security systems struggle to identify legitimate utilities being weaponized.
Targeting Edge Network Infrastructure
Unit 42 researchers highlighted that this campaign reflects a broader trend among nation-state cyber espionage actors. Over the past five years, state-sponsored groups have increasingly focused on edge-network assets including firewalls, routers, IoT devices, hypervisors, and VPN solutions. These targets are particularly attractive because they provide high-privilege access while typically lacking the robust logging and security monitoring found on standard enterprise endpoints.
Operational Tradecraft
The attackers demonstrated disciplined operational security practices that helped them evade detection. By using legitimate open-source tools, they avoided triggering signature-based detection mechanisms. Their approach of conducting intermittent interactive sessions over a multi-week period kept their activity below the behavioral thresholds that most automated alerting systems are configured to flag.
Mitigation and Patching Recommendations
Palo Alto Networks has provided multiple mitigation strategies for organizations awaiting patch deployment. Immediate steps include restricting access to the PAN-OS User-ID Authentication Portal to trusted zones only, or disabling the service entirely if it is not required for business operations.
Additional protections include disabling Response Pages in the Interface Management Profile for any Layer 3 interface that accepts untrusted or internet-originating traffic. Organizations with Advanced Threat Prevention subscriptions can enable Threat ID 510019 from Applications and Threats content version 9097-10022 to block exploitation attempts.
Official patches are expected to become available beginning May 13, 2026.
Sources
https://thehackernews.com/2026/05/pan-os-rce-exploit-under-active-use.html
https://www.reddit.com/r/SecOpsDaily/comments/1t6blme/panos_rce_exploit_under_active_use_enabling_root/
https://www.linkedin.com/posts/the-cyber-security-hub_pan-os-rce-exploit-under-active-use-enabling-activity-7458166373375045632-xqaW

Comments