Critical Palo Alto Networks PAN-OS RCE (CVE-2026-0300) Under Active Exploitation
A critical unauthenticated root RCE vulnerability in the PAN-OS User-ID Portal is being exploited in the wild. Unit 42 has confirmed targeted cyberespionage ac…
Palo Alto Networks has confirmed limited active exploitation of CVE-2026-0300, a critical vulnerability within the PAN-OS User-ID Authentication Portal service. The flaw—a buffer overflow allowing unauthenticated remote code execution (RCE) with root privileges—was detected in the wild starting April 9, 2026, by Unit 42. Researchers have since reconstructed a targeted cyberespionage campaign leveraging the exploit. With official patches scheduled to roll out beginning May 13, 2026, and a federal deadline set for May 9, immediate mitigation is required.
- CVE-2026-0300 enables unauthenticated root RCE on PA-Series and VM-Series firewalls via specially crafted packets sent to the User-ID Authentication Portal.
- Unit 42 tracked campaign CL-STA-1132 starting April 9, 2026, observing initial failed attempts followed by successful RCE involving shellcode injection into nginx and surgical log deletion.
- CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 6, 2026, mandating that FCEB agencies apply fixes or mitigations by May 9, 2026.
- Patches will be released in two phases: the first beginning May 13, 2026, and the second around May 28, 2026.
Root RCE via Captive Portal Buffer Overflow
The vulnerability resides in the User-ID Authentication Portal service, frequently associated with the PAN-OS Captive Portal. It is a buffer overflow triggered by specially crafted packets; an attacker can overwrite target process memory to achieve arbitrary code execution with root privileges without providing credentials. Once control is established, the exploit allows for the manipulation of the nginx process running on the firewall, effectively turning the device into a persistent listening post and launchpad for lateral movement. Prisma Access, Cloud NGFW, and Panorama are not affected by this flaw.
The CVSS score reflects a clear bifurcation based on network topology. When the portal is exposed to the internet or untrusted networks, the severity reaches a 9.3 rating. Conversely, if access is restricted to internal trusted IP addresses, the score sits at 8.7. This distinction is more than a formality; it indicates that the actual attack surface is defined by perimeter configuration choices.
Campaign CL-STA-1132: From Initial Breach to Persistence
Unit 42 has tracked this activity under the codename CL-STA-1132. Malicious activity began on April 9, 2026, with unsuccessful exploit attempts against a PAN-OS device. Approximately one week later, the threat actors achieved successful remote code execution, initiating a post-exploitation phase characterized by meticulous cleanup and anti-forensics measures.
"The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) in PAN-OS software. Upon successful exploitation, the attacker was able to inject shellcode into an nginx worker process" Palo Alto Networks Unit 42 (via The Hacker News)
Following initial access, the attackers removed kernel crash messages, nginx crash entries, and core dump files to eliminate technical artifacts that could trigger alerts. They subsequently conducted Active Directory enumeration to map the internal environment. On April 29, 2026, additional payloads were deployed against a second device, expanding the attackers' footprint within the target network.
The tools utilized in the campaign are open-source and have been previously linked to cyberespionage groups associated with Chinese interests. While Unit 42 stopped short of an explicit government attribution, they contextualized the operation within the broader trend of targeted strikes against perimeter network assets.
Perimeter Risk and the 9.3 CVSS Score
The decision to target the User-ID Authentication Portal is strategic. The service is designed to identify users and govern access to sensitive network segments; if exposed or misconfigured, it becomes the ideal weak point in a device meant to enforce security. This is the perimeter paradox: the firewall, the architect of defense, becomes the entry point for state-sponsored espionage.
Unit 42 places this campaign within a long-term trend. Over the past five years, state-sponsored cyberespionage actors have increasingly shifted focus toward edge assets, including firewalls, routers, IoT devices, hypervisors, and VPN solutions. These targets offer two primary advantages: privileged access at the network boundary and often limited visibility for internal logging and detection systems.
Mitigation and Response Strategy
Organizations should evaluate disabling the User-ID Authentication Portal if it is not business-critical. If the service is required, the immediate mitigation is to restrict access exclusively to trusted internal IP addresses, removing all direct exposure to the internet or untrusted segments.
Review interface and routing policies to ensure the Captive Portal is not reachable from external networks. Palo Alto Networks noted that organizations following these best practices are at significantly lower risk.
Security teams should intensify monitoring of system logs, with a specific focus on nginx crash entries, kernel crash messages, and core dump files. The anomalous deletion of these files is a high-confidence indicator of manual post-exploitation activity.
Update plans should be prepared for the two upcoming patch windows: wave one starting May 13, 2026, and wave two around May 28, 2026. Priority must be given to devices that remain exposed or handle traffic from untrusted networks.
The CVE-2026-0300 case confirms a troubling reality: edge assets governing identity and access have become the primary targets of cyberespionage. When an identity service resides on the same device tasked with blocking external threats, a single buffer overflow grants an attacker not only entry but the root-level ability to erase their tracks. The question for security teams is no longer just when to patch, but why an authentication portal should ever be exposed without rigid network restrictions.
Frequently Asked Questions
- Which Palo Alto devices are vulnerable?
- CVE-2026-0300 affects PA-Series and VM-Series firewalls running PAN-OS with the User-ID Authentication Portal enabled. Prisma Access, Cloud NGFW, and Panorama are not affected.
- Can risk be reduced before patches are available without disabling the service?
- Yes. The primary mitigation is limiting portal access to trusted internal IP addresses. Palo Alto Networks states this configuration drastically reduces the probability of successful exploitation.
- Are the observed attacks automated or targeted?
- While Palo Alto Networks has classified the vulnerability as technically automatable, they have not confirmed that the in-the-wild attacks detected by Unit 42 were automated. Campaign CL-STA-1132 currently shows signs of manual, targeted post-exploitation.
Information has been verified against cited sources and is current as of the time of publication.