Exploitation of CVE-2026-0300 in Palo Alto Networks PAN-OS
Recent research by Palo Alto Networks has uncovered a buffer overflow vulnerability, designated as CVE-2026-0300, affecting the User-ID Authentication Portal within the PAN-OS software. This flaw permits unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls through specially crafted network packets.
Exploitation of this vulnerability has been linked to a cluster of likely state-sponsored activities tracked by Unit 42, identified as CL-STA-1132. Initially, there were unsuccessful attempts to exploit this vulnerability from April 9, 2026, but attackers eventually gained remote code execution. Post-exploitation actions included deploying conventional tunneling tools like EarthWorm and ReverseSocks5, as well as performing Active Directory enumeration using credentials acquired from the compromised firewall. Furthermore, attackers systematically eliminated logs to cover their traces.
Defensive Context
Organizations utilizing Palo Alto Networks PAN-OS need to be particularly attentive to this vulnerability. Those operating PA-Series or VM-Series firewalls with publicly accessible User-ID Authentication Portals are at heightened risk. It is critical to note that Prisma Access, Cloud NGFW, and Panorama appliances are not affected.
Why This Matters
The risk of exploitation is particularly concerning due to the potential for unauthorized code execution with root privileges. This not only jeopardizes the integrity of network security but also allows attackers to move laterally within the network undetected, accessing sensitive information and systems.
Defender Considerations
Immediate attention should be directed at configuring the User-ID Authentication Portal to restrict access strictly to internal and trusted IP addresses. Additionally, engaging Palo Alto Networks Advanced Threat Prevention to enable Threat ID 510019 can help block exploitation attempts tied to CVE-2026-0300.
Environment Exposure
This threat is most relevant when the User-ID Authentication Portal is exposed to the public internet or untrusted networks. Organizations that adequately isolate this service to secure environments are less susceptible.
Indicators of Compromise (IOCs)
Key indicators associated with the exploitation include:
- IP Addresses: 67.206.213.86, 136.0.8.48, 146.70.100.69 (C2 staging), 149.104.66.84
- Download URLs: hxxp://146.70.100.69:8000/php_sess (EarthWorm download), hxxps://github.com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar.gz (ReverseSocks5 download)
- File hashes: e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Organizations should actively monitor these indicators to identify potential compromises.
