Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
Introduction
Significant cybersecurity activity occurred with the public disclosure of CVE-2026-0300, a zero-day vulnerability affecting Palo Alto Networks PAN-OS software. This vulnerability, specifically within the User-ID™ Authentication Portal, permits unauthenticated remote code execution (RCE) with root privileges on PA-Series and VM-Series firewalls. The identification of this flaw, and its subsequent exploitation by a suspected state-sponsored threat actor, shows the importance of secure network edge management and proactive threat intelligence.
This incident demonstrates how advanced adversaries target critical network infrastructure. Examining the technical specifics of CVE-2026-0300, the tools used by threat actor CL-STA-1132, and the broader context of supply chain attacks and persistent threats provides insights for defending enterprise environments. PurpleOps monitors these developments to provide complete cyber threat intelligence.
Adversaries continuously threaten organizations, using diverse strategies including zero-day exploitation and common software vulnerabilities. This report details the technical aspects of the PAN-OS Captive Portal zero-day and related incidents, summarizing information for security professionals and business leaders.
What is CVE-2026-0300 and how is it exploited?
CVE-2026-0300 is a buffer overflow vulnerability in the User-ID Authentication Portal, also known as Captive Portal, service within Palo Alto Networks PAN-OS software. Exploitation allows an unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted network packets.
The vulnerability occurs because of improper handling of data within the Captive Portal service. This enables an attacker to overwrite memory buffers, allowing the injection and execution of malicious code at the root privilege level. Systems where the User-ID Authentication Portal is exposed to the public internet or untrusted networks face a higher risk of unauthenticated RCE exploitation. Palo Alto Networks has confirmed that Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this vulnerability. Restricting User-ID Authentication Portal access to trusted internal IP addresses is a best practice to mitigate this risk by preventing public internet exposure.
How did threat actor CL-STA-1132 exploit this zero-day?
The threat actor designated as CL-STA-1132, a group likely engaged in state-sponsored activity, began exploitation attempts against PAN-OS devices starting April 9, 2026. Initial attempts were unsuccessful, but within a week, the attackers achieved remote code execution on a targeted device. This success involved injecting shellcode into an nginx worker process.
Following the compromise, CL-STA-1132 immediately focused on cleaning logs to hinder detection and forensic analysis. This activity included clearing crash kernel messages, deleting nginx crash entries and nginx crash records, and removing crash core dump files. Four days later, the attackers deployed additional tools with root privileges. They conducted Active Directory (AD) enumeration using the firewall's service account credentials, targeting domain root and DomainDnsZones. Further evidence suppression involved deleting ptrace injection evidence from the audit log and removing the SetUserID (SUID) privilege escalation binary.
On April 29, 2026, the attackers executed a Security Assertion Markup Language (SAML) flood against the initial target device. This action prompted a second device to transition to an Active state, inheriting the same internet-facing traffic. RCE was then achieved on this second device, leading to the deployment of additional tunneling tools. These tools facilitate covert communication channels and lateral movement. PurpleOps monitors for such persistent threats, providing full breach detection and cyber threat intelligence platform capabilities.
What open-source tools were used during the exploitation?
During the exploitation of CVE-2026-0300, the threat actor CL-STA-1132 deployed and used several publicly available tunneling tools to establish persistence and facilitate command and control. The primary tools identified were EarthWorm and ReverseSocks5.
EarthWorm is an open-source network tunneling tool written in C, compatible with Windows, Linux, macOS, and ARM/MIPS-based platforms. It operates as a SOCKS v5 server and port transfer utility, enabling covert communication channels across network boundaries. Its capabilities include:
- Initiating a forward SOCKS5 server to proxy incoming connections (MITRE ATT&CK technique T1090).
- Establishing reverse SOCKS5 tunnels from internal hosts to external attacker-controlled bridges (T1090).
- Bridging data between two separate listening ports to facilitate pivot management (T1090).
- Forwarding traffic from a local port to a remote destination host and port (T1090).
- Chaining multiple transfer modes to create multi-hop cascaded network tunnels (T1572).
- Encapsulating traffic for protocols such as RDP and SSH within SOCKS tunnels (T1572).
EarthWorm has been linked to threat actors including CL-STA-0046, Volt Typhoon, UAT-8337, and APT41, showing its use in sophisticated operations. The presence of such tools suggests a calculated effort to minimize detection based on proprietary malware signatures, a characteristic often found through underground forum intelligence.
ReverseSocks5 is another open-source networking tool. It bypasses firewalls or Network Address Translation (NAT) by establishing an outbound connection from a target machine to a controller, contrasting with traditional inbound connections. Once connected, it creates a SOCKS5 proxy tunnel, allowing the controller to route traffic into the target's internal network. Its public source code makes it a tool for system administrators and threat actors to use for pivoting during a breach. Nation-state actors commonly use publicly available tools like EarthWorm and ReverseSocks5 to obscure attribution and integrate into environments, a pattern observed by cyber threat intelligence platform providers.
How do these attacks relate to broader supply chain risks and persistent threats?
The exploitation of CVE-2026-0300 shows how nation-state actors increasingly target edge-network technology assets. These include firewalls, routers, IoT devices, hypervisors, and VPN solutions. Such devices often grant high-privilege access while lacking the extensive logging and security agents typically found on standard endpoints. These devices are attractive targets for long-term residency and data exfiltration. This is a critical component of supply-chain risk monitoring.
Actors like CL-STA-1132 rely on open-source tooling, not custom malware. This reduces signature-based detection and helps them integrate into environments. This technical approach, combined with a disciplined operational cadence of intermittent interactive sessions over weeks, allows them to operate below the thresholds of many automated alerting systems. Their lateral movement strategies prioritize identity trust abuse over traditional network-layer pivoting, which further reduces their footprint. This operational restraint, using non-persistent access windows, is a primary factor in maintaining long-term residency on edge infrastructure, requiring advanced breach detection.
Other recent incidents demonstrate the pervasive nature of supply chain attacks:
- ShinyHunters' Breaches: The hacking group ShinyHunters breached Instructure (Canvas LMS) and Vimeo. The Vimeo breach occurred via a third-party partner, Anodot, through stolen authentication tokens. This demonstrates how vulnerabilities in a smaller link can compromise a larger target. This resulted in the exposure of customer email addresses and metadata for approximately 119,000 accounts. The Instructure breach led to the theft of 3.65 terabytes of data and 275 million records, including private messages between students and teachers from universities like Oxford, Cambridge, Harvard, and Stanford.
- PyPI Packages Delivering ZiChatBot Malware: Cybersecurity researchers identified three packages on the Python Package Index (PyPI) repository - uuid32-utils, colorinal, and termncolor - designed to deliver ZiChatBot malware on Windows and Linux systems. This "carefully planned and executed PyPI supply chain attack" used Zulip APIs as its C2 infrastructure. The dropper for ZiChatBot shows a 64% similarity to a dropper used by the Vietnam-aligned hacking group OceanLotus (APT32). This illustrates how software repositories can be weaponized in supply chain attacks, showing the need for strong dark web monitoring services to track such threats.
- vm2 Node.js Library Vulnerabilities: A dozen critical security vulnerabilities, including CVE-2026-43997 (CVSS score: 10.0), were disclosed in the vm2 Node.js library. These flaws allow sandbox escape and arbitrary code execution on susceptible systems, showing constant threats in open-source components. Users must update to version 3.11.2 for protection.
These examples demonstrate that both direct exploitation of zero-days and vulnerabilities introduced via supply chains are critical attack vectors. Organizations must implement strong supply-chain risk monitoring and a full cyber threat intelligence platform to understand and mitigate these complex and interconnected threats. PurpleOps continuously tracks such trends, providing real-time ransomware intelligence and brand leak alerting to help organizations manage their exposure. The use of Microsoft Teams for social engineering and false-flag ransomware attacks by groups like MuddyWater further shows the sophisticated blending of nation-state and cybercrime tactics. This requires advanced live ransomware API integrations for rapid response.
Interim Guidance for PAN-OS Users
Palo Alto Networks provided interim guidance to mitigate CVE-2026-0300 risks:
- Restrict Access: Limit User-ID Authentication Portal access to only trusted zones. Disable Response Pages in the Interface Management Profile attached to every L3 interface in any zone where untrusted or internet traffic can ingress. Keep Response Pages enabled only on interfaces in trust/internal zones where legitimate users' browsers ingress.
- Disable Portal: If the User-ID Authentication Portal is not required, disable it entirely.
- Threat Prevention: Customers with an Advanced Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510019 from Applications and Threats content version 9097-10022. This requires PAN-OS 11.1 or later for Threat ID support.
For more details on Palo Alto Networks vulnerabilities and their impact, refer to our analysis on the Palo Alto PAN-OS RCE vulnerability and the Palo Alto GlobalProtect zero-day RCE (CVE-2024-3400). Similar issues have been observed in other network security products, such as the FortiOS SSO zero-day.
Technical Takeaways
- CVE-2026-0300 is an unauthenticated Remote Code Execution (RCE) vulnerability in Palo Alto Networks PAN-OS User-ID Authentication Portal, classified as a buffer overflow.
- Exploitation involves sending specially crafted packets to publicly exposed PA-Series and VM-Series firewalls, granting root privileges to the attacker.
- The threat actor CL-STA-1132 (suspected state-sponsored) conducted targeted exploitation, including shellcode injection into nginx processes and extensive log cleanup.
- Attackers used open-source tunneling tools like EarthWorm and ReverseSocks5 for persistence and covert communication. This tactic is designed to evade signature-based detection.
- The campaign involved Active Directory enumeration post-exploitation and a SAML flood to propagate the attack to a second firewall.