top of page

PAN-OS RCE Exploit Actively Exploited for Root Access and Surveillance Operations

  • May 8
  • 3 min read

Key Findings


  • CVE-2026-0300, a critical buffer overflow in PAN-OS User-ID Authentication Portal, is under active exploitation by suspected state-sponsored actors

  • Unsuccessful exploitation attempts began April 9, 2026, with successful remote code execution achieved a week later

  • Attackers achieved root-level access and injected shellcode into nginx worker processes

  • Post-exploitation activities included Active Directory enumeration and deployment of EarthWorm and ReverseSocks5 tools

  • Threat activity tracked as CL-STA-1132 with suspected China-nexus attribution

  • Patches expected May 13, 2026; immediate mitigation recommended


Background


Palo Alto Networks disclosed a critical security vulnerability in its PAN-OS software that has become the target of active exploitation. CVE-2026-0300 carries a CVSS score of 9.3/8.7 and exists within the User-ID Authentication Portal service. The flaw is a buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code with root privileges by crafting and sending specially designed packets to affected systems.


Exploitation Timeline and Methods


The threat actors began their attack campaign as early as April 9, 2026, though initial attempts were unsuccessful. By mid-April, they achieved successful remote code execution against a PAN-OS device. The attackers demonstrated technical sophistication by injecting shellcode directly into an nginx worker process, establishing a foothold on the compromised appliance.


Recognizing the importance of operational security, the adversaries immediately took steps to cover their tracks by clearing crash kernel messages, deleting nginx crash entries and records, and removing crash core dump files from the system.


Post-Exploitation Activity and Lateral Movement


Following initial compromise, the threat actors expanded their presence within the victim network. On April 29, 2026, they conducted Active Directory enumeration to map the network environment and identify additional targets. The attackers then deployed secondary payloads including EarthWorm and ReverseSocks5 against a second device on the network.


Both tools have established histories of use by China-nexus hacking groups, though Palo Alto Networks has not formally attributed the activity to a specific known threat actor. The use of open-source tooling rather than custom malware made detection more difficult, as signature-based security systems struggle to identify legitimate utilities being weaponized.


Targeting Edge Network Infrastructure


Unit 42 researchers highlighted that this campaign reflects a broader trend among nation-state cyber espionage actors. Over the past five years, state-sponsored groups have increasingly focused on edge-network assets including firewalls, routers, IoT devices, hypervisors, and VPN solutions. These targets are particularly attractive because they provide high-privilege access while typically lacking the robust logging and security monitoring found on standard enterprise endpoints.


Operational Tradecraft


The attackers demonstrated disciplined operational security practices that helped them evade detection. By using legitimate open-source tools, they avoided triggering signature-based detection mechanisms. Their approach of conducting intermittent interactive sessions over a multi-week period kept their activity below the behavioral thresholds that most automated alerting systems are configured to flag.


Mitigation and Patching Recommendations


Palo Alto Networks has provided multiple mitigation strategies for organizations awaiting patch deployment. Immediate steps include restricting access to the PAN-OS User-ID Authentication Portal to trusted zones only, or disabling the service entirely if it is not required for business operations.


Additional protections include disabling Response Pages in the Interface Management Profile for any Layer 3 interface that accepts untrusted or internet-originating traffic. Organizations with Advanced Threat Prevention subscriptions can enable Threat ID 510019 from Applications and Threats content version 9097-10022 to block exploitation attempts.


Official patches are expected to become available beginning May 13, 2026.


Sources


  • https://thehackernews.com/2026/05/pan-os-rce-exploit-under-active-use.html

  • https://www.reddit.com/r/SecOpsDaily/comments/1t6blme/panos_rce_exploit_under_active_use_enabling_root/

  • https://www.linkedin.com/posts/the-cyber-security-hub_pan-os-rce-exploit-under-active-use-enabling-activity-7458166373375045632-xqaW

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page