Attackers exploited PAN-OS flaw for root RCE and espionage
Suspected state-linked actors used PAN-OS CVE-2026-0300 to gain unauthenticated root RCE, inject shellcode into nginx, erase logs and deploy EarthWorm and ReverseSocks5.
Palo Alto Networks’ Unit 42 reported that suspected state-linked actors exploited CVE-2026-0300, a buffer overflow in the User-ID Authentication Portal of PAN-OS, to achieve unauthenticated remote code execution with root privileges. The vulnerability carries high severity ratings (CVSS scores reported at 9.3 and 8.7). Patches are expected to begin shipping on May 13, 2026; customers were advised to restrict access to the User-ID Authentication Portal to trusted network zones or disable the service if it is not needed.
Unit 42 recorded failed exploitation attempts beginning April 9, 2026, and said attackers obtained successful remote code execution roughly a week later. After exploiting the buffer overflow, the intruders injected shellcode into an nginx worker process and removed evidence by clearing crash kernel messages, deleting nginx crash entries and records, and erasing crash core dump files.
Following the initial compromise, the actors performed Active Directory enumeration. On April 29, operators deployed additional payloads to a second device, including EarthWorm and ReverseSocks5. Unit 42 noted both tools have appeared in prior campaigns linked to groups with ties to China. The activity is being tracked as CL-STA-1132 and labeled a suspected state-sponsored cluster of unknown provenance.
The researchers observed that the attackers favored open-source tooling over custom malware to reduce signature-based detection and to blend into target environments. They also described a pattern of intermittent interactive sessions over several weeks that remained below the behavioral thresholds of many automated alerting systems.
Palo Alto Networks’ advisory highlighted that the vulnerability affects edge-network devices such as firewalls and perimeter appliances, where high-privilege access can be gained and conventional endpoint logs or security agents may be absent. The company recommended monitoring for tampering of nginx logs and crash reports, unusual Active Directory queries, and indicators associated with known open-source backdoor tools while organizations await the planned fixes.
Unit 42 provided technical indicators to affected customers and partners and continues to investigate the scope of the intrusions. In its advisory, the team wrote: “The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) in PAN-OS software. Upon successful exploitation, the attacker was able to inject shellcode into an nginx worker process.”
