CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active exploitation of PAN-OS RCE zero-day CVE-2026-0300 via User-ID Authentication Portal

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

State-sponsored threat actors tracked as CL-STA-1132 exploited the critical PAN-OS firewall zero-day CVE-2026-0300 since at least April 9, 2026, achieving initial unauthenticated remote code execution by April 16–17, 2026. The vulnerability, a buffer overflow in the User-ID Authentication Portal service, enabled root-level arbitrary code execution on exposed PA-Series and VM-Series firewalls. Attackers injected shellcode into nginx worker processes and immediately began erasing forensic artifacts, including crash kernel messages and nginx records, to evade detection. Post-compromise activity included Active Directory enumeration and deployment of EarthWorm and ReverseSocks5 tunneling tools on April 29, 2026, targeting additional network devices. The adversary’s use of open-source tools and disciplined, intermittent operational sessions over weeks minimized signature-based detection while maintaining stealth. Over 5,400 PAN-OS VM-Series firewalls remain exposed on the internet, predominantly in Asia and North America. CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities Catalog on May 7, 2026, mandating federal remediation by May 9, 2026. Palo Alto Networks released initial patches for CVE-2026-0300 on May 14, 2026.

Timeline

  1. 07.05.2026 13:57 3 articles · 8d ago

    CVE-2026-0300 exploitation timeline and post-compromise activity disclosed

    State-sponsored threat actors tracked as CL-STA-1132 attempted exploitation of CVE-2026-0300 on April 9, 2026, with initial successful RCE achieved within a week thereafter. Post-exploitation activity included Active Directory enumeration and deployment of EarthWorm and ReverseSocks5 tunneling tools against a second device on April 29, 2026. Upon successful exploitation, attackers injected shellcode into an nginx worker process and immediately began clearing forensic artifacts, including crash kernel messages, nginx crash entries, and crash core dumps, to erase evidence of compromise. The adversary leveraged open-source tools and maintained intermittent interactive sessions over weeks to avoid automated detection thresholds, aligning with observed tradecraft of China-nexus clusters. Palo Alto Networks has now released the first round of fixes for CVE-2026-0300 on May 14, 2026, addressing the critical buffer overflow in the User-ID Authentication Portal service that enabled unauthenticated root-level arbitrary code execution.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active exploitation of Ivanti EPMM and Palo Alto PAN-OS vulnerabilities alongside new Linux RAT and cloud credential harvesting campaigns

Wide-ranging exploitation activity observed this week encompassing critical software vulnerabilities, new Linux malware families, cloud-focused credential theft, and espionage operations masquerading as ransomware. Attackers are weaponizing CVE-2026-6973 in Ivanti Endpoint Manager Mobile (EPMM) for remote code execution with administrative privileges, while Palo Alto PAN-OS CVE-2026-0300 is being exploited to achieve root-level access on PA-Series and VM-Series firewalls. Concurrently, a new modular Linux remote access trojan named Quasar Linux RAT (QLNX) has emerged with P2P mesh networking, kernel-level rootkit capabilities, and PAM authentication backdoors, enabling resilient persistence and lateral movement across Linux and cloud infrastructure. Credential harvesting campaigns are escalating, with one campaign replacing TeamPCP malware to steal cloud and developer credentials while propagating via open cloud infrastructure and Common Crawl data. Iranian state-sponsored actor MuddyWater conducted an espionage operation disguised as Chaos ransomware activity to obfuscate true objectives. Supply chain compromises affected DAEMON Tools and JDownloader, delivering data miners, QUIC RAT implants, and Python-based RATs. Phishing campaigns are increasingly leveraging legitimate Remote Monitoring and Management (RMM) tools such as SimpleHelp and ScreenConnect to establish persistent remote access. The combined impact includes unauthorized access to enterprise networks, cloud environments, and operational technology systems, with demonstrated ability to exfiltrate data, deploy secondary payloads, and persist across reboots and updates.

Open in new tab

Critical Authentication Bypass in Cisco Catalyst SD-WAN Exploited Since 2023

A critical authentication bypass vulnerability (CVE-2026-20182) in Cisco Catalyst SD-WAN Controller and Manager is being actively exploited in the wild, enabling unauthenticated remote attackers to bypass authentication and obtain administrative privileges. The flaw stems from a malfunction in the peering authentication mechanism within the 'vdaemon' service and impacts all deployment models. CVE-2026-20182 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 15, 2026, mandating federal patching by May 17, 2026. Cisco has attributed exploitation with high confidence to UAT-8616, the same cluster responsible for weaponizing CVE-2026-20127 since at least 2023. The threat actor leverages the flaw for post-compromise actions, including adding SSH keys, modifying NETCONF configurations, and attempting to escalate to root privileges. Infrastructure overlaps with Operational Relay Box (ORB) networks, commonly linked to Chinese state-sponsored actors. Threat actors have chained CVE-2026-20182 with CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to enable unauthorized access, deploying web shells, malware frameworks, and tools such as Godzilla, Behinder, XenShell, and credential stealers. Cisco recommends immediate updates, restricting access to management interfaces, and monitoring for indicators of compromise.

Open in new tab

High-Severity DoS Vulnerability in Palo Alto Networks Firewalls

Palo Alto Networks has patched a high-severity DoS vulnerability (CVE-2026-0227) affecting PAN-OS firewalls (versions 10.1 and later) and Prisma Access configurations with GlobalProtect enabled. The flaw allows unauthenticated attackers to disable firewall protections through repeated DoS attacks, forcing the firewall into maintenance mode. A proof-of-concept (PoC) exploit exists, and the vulnerability arises from an improper check for exceptional conditions (CWE-754). Most cloud-based Prisma Access instances have been patched, but some remain in progress. No evidence of exploitation has been found yet. Palo Alto Networks has released security updates for all affected versions, advising admins to upgrade to the latest releases. The vulnerability highlights the ongoing targeting of Palo Alto firewalls, which have been frequently exploited in recent attacks.

Open in new tab

Active Exploitation of Unpatched Cisco AsyncOS Zero-Day in SEG and SEWM Appliances

Cisco has identified an unpatched, critical zero-day vulnerability (CVE-2025-20393) in AsyncOS, affecting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw is actively exploited by a Chinese threat group, UAT-9686, to deploy backdoors and other malware. The attacks have been ongoing since at least late November 2025. Cisco has released security updates for the vulnerability and recommends securing and restricting access to vulnerable appliances. The vulnerability allows threat actors to execute arbitrary commands with root privileges and deploy tools like AquaShell, AquaTunnel, Chisel, and AquaPurge. CISA has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, requiring FCEB agencies to apply mitigations by December 24, 2025. Additionally, GreyNoise detected a coordinated campaign targeting enterprise VPN infrastructure, including Cisco SSL VPN and Palo Alto Networks GlobalProtect portals.

Open in new tab

Increased Scanning for PAN-OS GlobalProtect Vulnerability

The Interlock ransomware gang has exploited a zero-day RCE vulnerability (CVE-2026-20131) in Cisco’s Secure Firewall Management Center (FMC) software since January 26, 2026, two months before Cisco’s March 4, 2026 patch. The flaw, enabling unauthenticated root-level code execution via the web interface, was actively exploited against enterprise firewalls until at least mid-March 2026. AWS CISO CJ Moses confirmed the timeline and provided rare operational visibility into Interlock’s post-exploitation activities, including PowerShell-based network enumeration, deployment of custom JavaScript and Java RATs, and a memory-resident webshell for evasion. The group also installed ConnectWise ScreenConnect as a backup access method. Cisco’s March 4 patch addressed the insecure Java deserialization flaw in the management interface. Interlock’s activities align with their broader campaigns targeting critical infrastructure, including prior links to ClickFix and NodeSnake malware against U.K. universities since 2024.

Open in new tab