Palo Alto Networks has disclosed that menace actors might have tried to unsuccessfully exploit a lately disclosed important security flaw as early as April 9, 2026.
The vulnerability in query is CVE-2026-0300 (CVSS rating: 9.3/8.7), a buffer overflow vulnerability within the Person-ID Authentication Portal service of Palo Alto Networks PAN-OS software program that would enable an unauthenticated attacker to execute arbitrary code with root privileges by sending specifically crafted packets.
Whereas fixes are anticipated to be launched beginning Might 13, 2026, prospects are suggested to safe entry to the PAN-OS Person-ID Authentication Portal by limiting entry to trusted zones, or by disabling it solely if it is not used.
In an advisory issued Wednesday, the community security firm stated it is conscious of restricted exploitation of the flaw. It is monitoring the exercise underneath the CL-STA-1132, a suspected state-sponsored menace cluster of unknown provenance.
“The attacker behind this exercise exploited CVE-2026-0300 to attain unauthenticated distant code execution (RCE) in PAN-OS software program. Upon profitable exploitation, the attacker was in a position to inject shellcode into an nginx employee course of,” Palo Alto Networks Unit 42 stated.
The cybersecurity firm stated it has noticed unsuccessful exploitation makes an attempt towards a PAN-OS machine beginning April 9, 2026, every week after which the attackers managed to efficiently acquire distant code execution towards the equipment and inject shellcode.
As quickly as preliminary entry was achieved, the menace actors took steps to clear crash kernel messages, delete nginx crash entries and nginx crash information, and take away crash core dump information in an try to cowl up the tracks.
Put up-exploitation actions performed by the adversary included conducting Lively Listing (AD) enumeration and dropping extra payloads like EarthWorm and ReverseSocks5 towards a second machine on April 29, 2026. Each instruments have been beforehand utilized by varied China-nexus hacking teams.
“Over the past 5 years, nation-state menace actors engaged in cyber espionage have more and more targeted their efforts on edge-network technological property, together with firewalls, routers, IoT gadgets, hypervisors and varied VPN options, which give high-privilege entry whereas usually missing the sturdy logging and security brokers discovered on customary endpoints,” Unit 42 stated.
“The reliance of the attackers behind CL-STA-1132 on open-source tooling, quite than proprietary malware, minimized signature-based detection and facilitated seamless atmosphere integration. This technical selection, mixed with a disciplined operational cadence of intermittent interactive classes over a multi-week interval, deliberately remained under the behavioral thresholds of most automated alerting techniques.”
