Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
CVE-2026-0300 represents a critical zero-day buffer overflow vulnerability in Palo Alto Networks PAN-OS firewall software, affecting the devices organizations fundamentally trust to protect their network perimeter. The PAN-OS vulnerability is actively exploited by CL-STA-1132, a sophisticated likely state-sponsored threat actor conducting targeted attacks against PAN-OS deployments. The PAN-OS buffer overflow flaw, first observed on April 9, 2026, resides in the User-ID Authentication Portal (Captive Portal) service, a component responsible for mapping IP addresses to user identities when the firewall cannot automatically perform this association. The critical nature of the PAN-OS vulnerability stems from the ability for unauthenticated remote attackers to achieve root-level code execution with a single crafted packet, requiring no credentials or user interaction whatsoever.
The PAN-OS CVE-2026-0300 vulnerability affects multiple major software branches including PAN-OS 10.2, 11.1, 11.2, and 12.1 across PA-Series physical firewalls and VM-Series virtual firewalls when configured with the User-ID Authentication Portal enabled. The PAN-OS buffer overflow flaw is classified under CWE-787 (Out-of-bounds Write) and stems from improper input validation in the Captive Portal service when processing incoming network packets. The PAN-OS vulnerable service fails to properly validate the size or boundaries of input data, allowing attackers to overwrite adjacent memory regions. Because the PAN-OS Captive Portal service executes with root privileges, successful exploitation immediately grants attackers the highest level of system access, enabling complete firewall compromise.
The PAN-OS exploitation timeline reveals sophisticated attack progression by the CL-STA-1132 threat actor. Initial unsuccessful exploitation attempts targeting the PAN-OS vulnerability began on April 9, 2026, with successful remote code execution achieved approximately one week later around April 16, 2026. Post-exploitation activity on compromised PAN-OS systems included shellcode injection into nginx worker processes, deployment of EarthWorm and ReverseSocks5 tunneling tools for command-and-control communication, Active Directory enumeration leveraging the firewall’s service account credentials, and extensive log and evidence destruction to hinder forensic investigation. Palo Alto Networks published its security advisory on May 5, 2026, confirming limited active exploitation. Security patches for the PAN-OS vulnerability remain unavailable until May 13, 2026 for the first batch of affected versions, with a second patch release scheduled for May 28, 2026, leaving organizations exposed during this extended window.
CVE-2026-0300 is a critical buffer overflow vulnerability classified under CWE-787 (Out-of-bounds Write) affecting Palo Alto Networks PAN-OS firewall software. The PAN-OS vulnerability resides within the User-ID Authentication Portal, commonly known as the Captive Portal service. This PAN-OS component provides user authentication functionality when the firewall cannot automatically map IP addresses to user identities through other means. The User-ID Authentication Portal in PAN-OS serves as a critical identity management function, presenting authentication pages to users whose identity cannot be determined through existing user identification methods. The strategic importance of this PAN-OS component makes the security vulnerability particularly impactful for organizations relying on user-based security policies.
The root cause of the PAN-OS CVE-2026-0300 vulnerability is an out-of-bounds write condition occurring within the Captive Portal service during network packet processing. When the PAN-OS User-ID Authentication Portal processes incoming network packets, the service fails to properly validate the size or boundaries of input data received from network connections. This PAN-OS input validation failure allows attackers to overwrite adjacent memory regions beyond allocated buffers. By crafting specially formatted network packets and sending them to the vulnerable PAN-OS Captive Portal endpoint, unauthenticated remote attackers can trigger the buffer overflow condition to inject and execute arbitrary code on the firewall. The PAN-OS exploitation mechanism is particularly dangerous because the Captive Portal service executes with root privileges, meaning successful exploitation immediately grants attackers the highest level of system access without requiring privilege escalation techniques.
The PAN-OS CVE-2026-0300 vulnerability impacts multiple major software branches across four generations of PAN-OS releases. Affected PAN-OS 10.2 versions include multiple hotfix streams prior to 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6. Vulnerable PAN-OS 11.1 versions include releases prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15. Affected PAN-OS 11.2 versions encompass releases prior to 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12. Vulnerable PAN-OS 12.1 versions include releases prior to 12.1.4-h5 and 12.1.7. The PAN-OS vulnerability specifically affects PA-Series physical firewalls and VM-Series virtual firewalls when configured with the User-ID Authentication Portal feature enabled. Cloud NGFW, Prisma Access, and Panorama management platforms are not affected by the PAN-OS CVE-2026-0300 vulnerability, limiting the scope to traditional firewall deployments.
Palo Alto Networks has confirmed limited but active exploitation of the PAN-OS CVE-2026-0300 vulnerability targeting User-ID Authentication Portals exposed to untrusted IP addresses and the public internet. The PAN-OS exploitation activity is attributed to CL-STA-1132, a sophisticated likely state-sponsored threat actor demonstrating advanced capabilities. The PAN-OS exploitation timeline reveals initial unsuccessful attempts beginning April 9, 2026, with successful remote code execution achieved approximately one week later. Post-exploitation activity observed on compromised PAN-OS systems included shellcode injection into nginx worker processes to maintain persistence, deployment of EarthWorm and ReverseSocks5 tunneling tools to establish covert command-and-control channels, Active Directory enumeration leveraging the compromised firewall’s service account credentials to map internal network resources, and extensive log deletion and evidence destruction to hinder incident response and forensic analysis. Palo Alto Networks has released a Threat Prevention signature (Threat ID 510019) available to customers running PAN-OS 11.1 and above with an Advanced Threat Prevention subscription to detect and block exploitation attempts.
Organizations must immediately restrict access to the PAN-OS User-ID Authentication Portal to trusted internal IP addresses exclusively as the most effective mitigation currently available. Follow vendor-provided guidance in the Palo Alto Networks Knowledgebase article and Live Community documentation to configure zone-based access restrictions that limit Portal accessibility to known trusted networks. Additionally, organizations should disable Response Pages in the Interface Management Profile attached to every Layer 3 interface in any zone where untrusted or internet traffic can ingress, maintaining Response Pages enabled only on interfaces in trust or internal zones. This PAN-OS access restriction significantly reduces the attack surface by preventing unauthenticated internet-based attackers from reaching the vulnerable Captive Portal service while security patches remain unavailable.
If the User-ID Authentication Portal is not actively required for production user identification workflows in your PAN-OS environment, organizations should disable the feature entirely through Device > User Identification > Authentication Portal Settings in the firewall management interface. Disabling the PAN-OS Authentication Portal completely eliminates the CVE-2026-0300 attack surface and represents the simplest risk removal strategy until vendor security patches become available. Organizations should assess whether alternative user identification methods including Active Directory integration, LDAP authentication, or SSL VPN user mapping can fulfill their user-to-IP address mapping requirements without relying on the vulnerable Captive Portal functionality. This PAN-OS configuration change provides immediate protection against exploitation attempts while maintaining firewall security policy enforcement capabilities.
Customers with an Advanced Threat Prevention subscription running PAN-OS 11.1 or later versions should immediately verify that Threat ID 510019 from Applications and Threats content version 9097-10022 is enabled in their threat prevention security profiles. This PAN-OS threat signature provides network-level detection and blocking capabilities for exploitation attempts targeting the CVE-2026-0300 vulnerability. Organizations should update their Applications and Threats content to the latest available version to ensure signature coverage and apply appropriate threat prevention profiles to security policies governing traffic destined for PAN-OS firewall management interfaces. While threat signatures provide valuable detection capabilities, organizations should not rely exclusively on this mitigation and must implement network access restrictions and plan for urgent patch deployment when fixes become available.
Palo Alto Networks plans to release security patches for the PAN-OS CVE-2026-0300 vulnerability in two phases on May 13, 2026 and May 28, 2026. Organizations should prepare patch deployment strategies immediately to minimize exposure windows once fixes become available. Establish testing environments to validate patch compatibility and stability before production deployment. Prioritize patching for internet-facing PAN-OS firewalls with the User-ID Authentication Portal enabled, as these systems face the highest compromise risk from the CL-STA-1132 threat actor. Coordinate with change management processes to schedule maintenance windows and develop rollback procedures. Organizations should monitor the Palo Alto Networks security advisory page continuously for patch release notifications and deployment guidance.
Given confirmed exploitation of the PAN-OS vulnerability by the sophisticated CL-STA-1132 threat actor, organizations that maintained User-ID Authentication Portal exposure to the internet or untrusted networks should proactively investigate for compromise indicators. Review nginx crash logs for evidence of unexpected process crashes indicating exploitation attempts. Examine audit logs for ptrace injection evidence suggesting shellcode injection into running processes. Check /var/tmp/ and /tmp/ directories for unexpected files with names including linuxap, linuxda, linuxupdate, .c, or R5 which indicate post-exploitation tool deployment. Search for unauthorized Active Directory enumeration activity originating from PAN-OS firewall service accounts that may reveal credential harvesting attempts. Organizations discovering evidence of PAN-OS compromise should initiate full incident response procedures including system isolation, memory forensics, credential rotation, and threat hunting across internal networks.
T1190: Exploit Public-Facing Application – The CL-STA-1132 threat actor exploits the CVE-2026-0300 buffer overflow vulnerability in internet-facing PAN-OS User-ID Authentication Portals to gain initial access to firewall systems without authentication.
T1059: Command and Scripting Interpreter – Attackers execute arbitrary commands on compromised PAN-OS systems following successful exploitation, leveraging shell access for post-exploitation activities.
T1548: Abuse Elevation Control Mechanism T1548.001: Setuid and Setgid – Threat actors leverage root-level code execution achieved through PAN-OS exploitation to maintain persistent elevated privileges on compromised firewall systems.
T1070: Indicator Removal T1070.004: File Deletion – The CL-STA-1132 actor conducts extensive log and evidence destruction on compromised PAN-OS systems to hinder forensic investigation and incident response efforts.
T1003: OS Credential Dumping – Attackers access and exfiltrate Active Directory credentials from compromised PAN-OS firewalls, leveraging the firewall’s service account credentials for internal network reconnaissance.
T1018: Remote System Discovery – Threat actors enumerate Active Directory infrastructure and internal network resources following PAN-OS compromise to identify lateral movement targets.
T1090: Proxy – The CL-STA-1132 actor deploys EarthWorm and ReverseSocks5 tunneling tools on compromised PAN-OS systems to establish covert communication channels and proxy traffic through the firewall.
T1572: Protocol Tunneling – Attackers utilize protocol tunneling tools including ReverseSocks5 to encapsulate command-and-control traffic and evade network security monitoring.
T1588: Obtain Capabilities T1588.006: Vulnerabilities – The CL-STA-1132 threat actor develops or acquires exploit capabilities for the PAN-OS CVE-2026-0300 zero-day vulnerability to enable their operations.
IPv4 Addresses:
Malicious URLs:
Organizations should implement network monitoring for connections to these indicators associated with CL-STA-1132 exploitation of PAN-OS systems.
SHA256 Hash:
Suspicious File Paths:
Security teams should search compromised PAN-OS systems for these file artifacts indicating successful exploitation and post-compromise tool deployment by the CL-STA-1132 threat actor.
No security patches are currently available for the PAN-OS CVE-2026-0300 vulnerability. Palo Alto Networks has committed to releasing fixes in two phases on May 13, 2026 and May 28, 2026. Organizations should monitor the vendor security advisory page continuously and prepare patching workflows in advance to minimize exposure windows once updates become available.
Get through updates and upcoming events, and more directly in your inbox