### Zero-Day Exploitation in the Wild **Palo Alto Networks** has disclosed that threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as early as April 9, 2026. The vulnerability in question is **CVE-2026-0300** (CVSS score: 9.3/8.7), a buffer overflow vulnerability in the User-ID Authentication Portal service of **Palo Alto Networks** PAN-OS software. This flaw could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets. ### Mitigation Strategies While fixes are expected to be released starting May 13, 2026, customers are advised to secure access to the PAN-OS User-ID Authentication Portal by restricting access to trusted zones or disabling it entirely if it's not in use. As additional mitigation, the company recommends disabling Response Pages in the Interface Management Profile for any L3 interface where untrusted or internet traffic can ingress. Customers with Advanced Threat Prevention can also block exploitation attempts by enabling Threat ID 510019 from Applications and Threats content version 9097-10022. ### Tracking the Threat Actor: CL-STA-1132 In an advisory, the network security company stated it is aware of limited exploitation of the flaw and is tracking the activity under the **CL-STA-1132**, a suspected state-sponsored threat cluster of unknown provenance. "The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) in PAN-OS software. Upon successful exploitation, the attacker was able to inject shellcode into an nginx worker process," **Palo Alto Networks** Unit 42 said. ### Post-Exploitation Activities The cybersecurity company observed unsuccessful exploitation attempts against a PAN-OS device starting April 9, 2026. A week later, the attackers successfully obtained remote code execution against the appliance and injected shellcode. Immediately after gaining initial access, the threat actors attempted to cover their tracks by clearing crash kernel messages, deleting nginx crash entries and records, and removing crash core dump files. Post-exploitation activities included conducting Active Directory (AD) enumeration and dropping additional payloads like **EarthWorm** and **ReverseSocks5** against a second device on April 29, 2026. Both tools have been previously associated with China-nexus hacking groups. ### Targeting Edge-Network Assets "Over the last five years, nation-state threat actors engaged in cyber espionage have increasingly focused their efforts on edge-network technological assets, including firewalls, routers, IoT devices, hypervisors and various VPN solutions, which provide high-privilege access while often lacking the robust logging and security agents found on standard endpoints," Unit 42 said. "The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration. This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems."