Palo Alto Networks firewall zero-day exploited for nearly a month

PALO ALTO NETWORKS FIREWALL ZERO-DAY EXPLOITED FOR NEARLY A MONTH

OverviewA critical-severity zero-day in Palo Alto Networks PAN-OS has been exploited by suspected state-sponsored actors for roughly four weeks. The vulnerability resides in the User-ID Authentication Portal, commonly known as the Captive Portal, and stems from a buffer overflow that allows unauthenticated attackers to execute arbitrary code with root privileges on Internet-facing PA-Series and VM-Series firewalls. While exploitation appears limited at the moment, researchers have observed a sustained campaign that began with unsuccessful attempts in early April and progressed to remote code execution (RCE) and shellcode injection within days of those initial probes. Immediate post-compromise activity included log cleanup and attempts to erase traces from crash logs and core dumps.

What’s at stake

• The flaw enables remote code execution without authentication, potentially allowing full control over exposed devices.
• Affected devices include PAN-OS running on PA-Series and VM-Series firewalls that expose the User-ID Authentication Portal to the internet.
• Cloud NGFW and Panorama appliances are not impacted by this particular vulnerability.

Exploitation Details and EvidenceTechnical scope

• The vulnerability is tracked as CVE-2026-0300 and centers on the Captive Portal's handling of user authentication data, with the root cause tied to a buffer overflow condition.
• Exploitation allows attackers to run arbitrary commands with root privileges on affected devices, effectively compromising the firewall’s control plane.

Observed attacker activity

• Early April 2026 saw unsuccessful attempts against PAN-OS devices, with more successful intrusions occurring about a week later.
• Once RCE was achieved, attackers injected shellcode into compromised devices, and subsequently engaged in log cleaning to evade detection (removing kernel crash messages, nginx crash entries, and core dumps).
• After gaining persistence, attackers deployed two open-source tunneling tools to establish covert channels: EarthWorm and ReverseSocks5. EarthWorm provides covert, cross-network communications, while ReverseSocks5 enables outbound connections to bypass NAT and firewall restrictions.

Tools linked to the campaign

• EarthWorm: A tunneling utility used to enable covert communications within restricted networks.
• ReverseSocks5: A tunneling tool that creates SOCKS v5 proxies and tunnels to exfiltrate data or command and control traffic.

Scope and exposure

• Shadowserver’s threat-tracking dashboard reports more than 5,400 PAN-OS VM-Series firewalls exposed to the internet, with the majority located in Asia (roughly 2,466 devices) and North America (about 1,998 devices). This indicates a substantial exposure of edge devices that are prime targets for attacker reconnaissance and exploitation.

Affected products and patch status

• PAN-OS Zoomed-in impact: the vulnerability affects the PAN-OS User-ID Authentication Portal on PA-Series and VM-Series devices exposed to the internet.
• The vulnerability does not impact Cloud NGFW or Panorama appliances.
• Palo Alto Networks has indicated that patches are being developed, with initial updates expected to begin rolling out in the near term (the company stated patches would start to become available the week following early May).

Mitigation and quick-response steps

• Access controls: Restrict external access to the PAN-OS User-ID Authentication Portal to trusted network zones, or disable the portal entirely if feasible, to reduce exposure until patches are available.
• Configuration checks: Administrators can verify whether their firewalls are using the vulnerable service by inspecting the Authentication Portal Settings within the PAN-OS administration interface. The relevant path is Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal.
• Patch planning: Monitor for the release of PAN-OS patches and apply them promptly once available to mitigate ongoing exploitation.
• Incident visibility: Because attackers cleaned logs and attempted to erase forensic signals, it is advisable to review system logs, crash dumps, and any network activity that could indicate anomalous tunneling or outbound connections from firewall devices.

Regulatory and government context

• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) Catalog. Following the KEV listing, CISA directed Federal Civilian Executive Branch (FCEB) agencies to secure exposed devices by a stated deadline.
• The KEV listing and agency directives underscore the broader risk posture of edge devices, which often operate with limited logging and protective tooling compared with traditional endpoints.

Broader threat landscape and context

• The CVE-2026-0300 campaign is part of a wider trend where threat actors target edge network devices—such as firewalls, hypervisors, routers, and VPN software—for exploitation. These devices frequently lack comprehensive logging and security telemetry, making detection and remediation more challenging.
• In the months surrounding this campaign, several other high-profile edge-device exploits highlighted the risk of unpatched or publicly accessible devices becoming footholds for larger operations.
• The integration of EarthWorm and ReverseSocks5 into compromised networks demonstrates how attackers pivot from initial access to extended, covert control, enabling data exfiltration, lateral movement, or remote command-and-control channels.

Incident timeline recap

• April 9, 2026: Noted unsuccessful exploitation attempts against PAN-OS devices observed.
• Approximately one week later: Attackers achieve RCE and inject shellcode on targeted devices.
• Post-compromise: Log cleanup and attempts to mitigate detection via removal of crash logs and core dumps.
• May 6, 2026: CISA adds CVE-2026-0300 to KEV and announces an enforcement deadline for agency remediation.
• May 13, 2026: Expected rollout window for the first firmware patches addressing the vulnerability.

Operational implications for organizations

• Edge devices remain a critical risk surface due to their exposure to the internet and their role in enforcing network security policies. When such devices are compromised, the attacker’s position at the network edge can facilitate broader campaigns, evading conventional endpoint protections.
• The presence of public-facing Captive Portals should trigger immediate review, tightening of access controls, and rapid patching once fixes are released.
• Asset visibility is crucial: the large number of publicly accessible PAN-OS VM-Series firewalls underscores the need for comprehensive inventory management and continuous monitoring of exposed devices.

ConclusionThe exploitation of the PAN-OS User-ID Authentication Portal zero-day CVE-2026-0300 demonstrates how quickly a flaw can be weaponized by state-aligned threat actors, transforming edge devices into footholds for persistent access. While the initial exploitation appears to have been limited in scope, the combination of compromised machines, covert tunneling tools, and targeted log cleanup highlights the importance of rapid patching, vigilant monitoring, and strict access controls for internet-exposed network devices. The incident also reinforces the broader cybersecurity lesson that edge infrastructure often requires proactive hardening and ongoing telemetry to detect and deter sophisticated exploitation campaigns before they can do lasting damage.