By rssfeeds-admin Tracked as CVE-2026-0300, the flaw is a buffer overflow vulnerability residing in the User-ID Authentication Portal, also known as the Captive Portal service of PAN-OS, and it allows an unauthenticated remote attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted network packets.
The vulnerability enables unauthenticated remote code execution (RCE) against internet-facing PAN-OS deployments where the User-ID Authentication Portal is exposed to untrusted networks.
Upon successful exploitation, attackers can inject shellcode directly into an nginx worker process, granting them deep, persistent access to the underlying system. Prisma Access, Cloud NGFW, and Panorama appliances are not affected.
Risk is significantly elevated when the Authentication Portal is publicly reachable, making network segmentation and access restriction the most immediate mitigation step.
Palo Alto Networks’ Unit 42 threat intelligence team is tracking exploitation activity under the cluster designation CL-STA-1132, attributed to a likely state-sponsored actor.
The campaign timeline reveals a deliberate, methodical approach beginning April 9, 2026, when unsuccessful exploitation attempts were logged against a PAN-OS device.
One week later, the attackers successfully achieved RCE and injected shellcode. Immediately following the compromise, they conducted aggressive log destruction, clearing crash kernel messages, deleting nginx crash entries and records, and removing crash core dump files to impair forensic detection.
Four days after initial compromise, the attackers deployed multiple tools with root privileges and began Active Directory enumeration using service account credentials harvested from the firewall, targeting the domain root and DomainDnsZones.
Evidence of ptrace injection and SetUserID (SUID) privilege-escalation binaries was subsequently deleted from audit logs to further reduce their footprint.
On April 29, 2026, the attackers executed a SAML flood attack against the first compromised device, causing a secondary device to be promoted to Active status, inheriting the same internet-facing traffic configuration.
RCE was then achieved on this second device by downloading and deploying two open-source tunneling tools.
Earthworm and ReverseSocks5 for Post-Exploitation
The attackers relied exclusively on publicly available tooling rather than on proprietary malware, a deliberate choice that minimized the likelihood of signature-based detection.
EarthWorm, an open-source network tunneling tool written in C supporting Windows, Linux, macOS, and ARM/MIPS platforms, was used to establish covert SOCKS5 proxy tunnels and multi-hop cascaded network paths (MITRE ATT&CK T1090, T1572).
Earthworm has previously been linked to threat clusters including Volt Typhoon, APT41, UAT-8337, and CL-STA-0046.
ReverseSocks5 was used to establish outbound connections from compromised devices to an attacker-controlled controller, bypassing firewall and NAT restrictions to route traffic into the internal network via a SOCKS5 proxy tunnel.
Organizations should take one of the following immediate actions. First, restrict User-ID Authentication Portal access exclusively to trusted internal zones, and disable Response Pages in the Interface Management Profile on any L3 interface reachable from untrusted or internet-facing traffic. Second, if the Authentication Portal is not operationally required, disable it entirely.
Indicators of Compromise
| Indicator | Type | Description |
|---|---|---|
| 67.206.213[.]86 | IP Address | Attacker Infrastructure |
| 136.0.8[.]48 | IP Address | Attacker Infrastructure |
| 146.70.100[.]69 | IP Address | C2 Staging Server |
| 149.104.66[.]84 | IP Address | Attacker Infrastructure |
| hxxp[:]//146.70.100[.]69:8000/php_sess | URL | EarthWorm Download URL |
| hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz | URL | ReverseSocks5 Download URL |
| e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 | SHA-256 Hash | EarthWorm Binary |
| Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0 | User Agent | Attacker User Agent String |
| /var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate | File Path | Tunneling Tool Artifacts |
| /tmp/.c | File Path | Unidentified Python Script |
| /tmp/R5, /var/R5 | File Path | ReverseSocks5 Binary Paths |
[.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.Cybercriminals now enter through your suppliers instead of your front door – Free Webinar
The post Palo Alto Networks Firewall Zero-Day RCE Vulnerability Exploited in the Wild Since April appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.