**Palo Alto Networks** has issued an urgent advisory regarding a critical-severity zero-day vulnerability, tracked as **CVE-2026-0300**, affecting PAN-OS firewalls. The vulnerability is actively being exploited by what the company believes are state-sponsored threat actors. ### CVE-2026-0300: Remote Code Execution in PAN-OS **CVE-2026-0300** is a remote code execution (RCE) flaw found in the PAN-OS User-ID Authentication Portal (also known as the Captive Portal). This buffer overflow vulnerability allows unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls. "We are aware of only limited exploitation of CVE-2026-0300 at this time. Unit 42 is tracking CL-STA-1132, a cluster of likely state-sponsored threat activity exploiting CVE-2026-0300. The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) in PAN-OS software," the company stated. ### Timeline of Exploitation According to **Palo Alto Networks**, initial unsuccessful exploitation attempts were observed starting April 9, 2026. A week later, the attackers successfully achieved RCE and injected shellcode. Following the compromise, the attackers immediately attempted to cover their tracks by clearing crash kernel messages, deleting nginx crash entries and records, as well as removing crash core dump files. ### Post-Exploitation Activity: Earthworm and ReverseSocks5 After gaining access to the victims' firewalls, the attackers deployed the open-source **Earthworm** and **ReverseSocks5** network tunneling tools. These tools enable the creation of SOCKS v5 servers and proxy tunnels on compromised devices. * **Earthworm**: Allows threat actors to establish covert communication across restricted networks. * **ReverseSocks5**: Enables bypassing NAT and firewalls by creating an outbound connection from a target machine to a controller. **Earthworm** has been previously linked to attacks attributed to Chinese-speaking threat groups such as CL-STA-0046, **Volt Typhoon**, UAT-8337, and **APT41**. ### Exposure and Mitigation  _Palo Alto Networks VM-series firewalls exposed online (Shadowserver)_ **Shadowserver** is currently tracking over 5,400 PAN-OS VM-series firewalls exposed on the Internet, with a significant concentration in Asia (2,466) and North America (1,998). **Palo Alto Networks** has stated that Cloud NGFW and Panorama appliances are not affected. Patches are currently under development, with the first releases expected on Wednesday, May 13. In the interim, **Palo Alto Networks** strongly advises customers to: * Restrict access to the PAN-OS User-ID Authentication Portal to trusted zones only. * Disable the portal if restricting access is not feasible. Administrators can verify the configuration of the vulnerable service via the User-ID Authentication Portal Settings page (Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal). ### CISA Action and Broader Trends The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) has added **CVE-2026-0300** to its Known Exploited Vulnerabilities (KEV) Catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable firewalls by Saturday midnight, May 9. This exploitation is part of an increasing trend of threat groups targeting edge network devices such as firewalls, hypervisors, routers, and VPN software, which often lack robust logging and security measures. In February, **CISA** issued Binding Operational Directive 26-02, requiring U.S. government agencies to remove end-of-life network edge devices that no longer receive security updates. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot