Unit 42 details active exploitation of CVE-2026-0300, a buffer overflow zero-day in the PAN-OS User-ID Authentication Portal (Captive Portal) that allows unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls. A likely state-sponsored threat cluster (CL-STA-1132) exploited the vulnerability starting April 2026, injecting shellcode into nginx worker processes, deploying open-source tunneling tools (EarthWorm, ReverseSocks5), conducting Active Directory enumeration using stolen firewall credentials, and systematically destroying forensic evidence. Mitigations include restricting portal access to trusted zones, disabling it if unused, and enabling Threat ID 510019 with Advanced Threat Prevention. Indicators of compromise including C2 IPs, file paths, and tool hashes are provided.
Table of contents
Executive SummaryDetails of the VulnerabilityCurrent Scope of the Attack Using CVE-2026-0300Interim GuidanceConclusionPalo Alto Networks Product Protections for Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code ExecutionIndicators of CompromiseSort: