"The flaw, tracked as CVE-2026-0300 and carrying a CVSS severity rating of 9.3, affects the Captive Portal feature in PAN-OS on PA-Series and VM-Series firewalls. Palo Alto said the issue stems from a memory corruption bug in the User-ID Authentication Portal, a feature used to handle logins for users the firewall cannot automatically identify. If successfully exploited, the bug allows attackers to remotely run arbitrary code on internet-exposed devices with root privileges."
"According to the vendor's Unit 42 threat intelligence team, attacks are already underway and tied to a cluster of 'likely state-sponsored threat activity' tracked as CL-STA-1132. The attackers allegedly used the zero-day to inject shellcode into an nginx worker process running on compromised devices. Palo Alto said the first failed exploitation attempts began on April 9. About a week later, the attackers successfully achieved remote code execution on a targeted firewall and then cleared logs, crash reports, and other records tied to the compromise."
"The attackers later used their access to move deeper into victims' networks, including probing Active Directory systems while continuing to clean up traces of the intrusion from compromised devices. According to Palo Alto, the campaign expanded again on April 29 when the attackers triggered a flood of authentication traffic that caused a secondary firewall to take over internet-facing duties. The attackers then compromised that device as well and installed additional remote access tools."
A critical zero-day vulnerability (CVE-2026-0300, CVSS 9.3) in Palo Alto Networks PAN-OS firewalls' Captive Portal feature allows unauthenticated remote code execution with root privileges. State-sponsored threat actors tracked as CL-STA-1132 have actively exploited this flaw since April 9, successfully compromising internet-exposed PA-Series and VM-Series firewalls. After gaining access, attackers inject shellcode into nginx processes, clear forensic evidence, probe Active Directory systems, and deploy additional remote access tools. The campaign expanded on April 29 when attackers triggered authentication floods to compromise secondary firewalls. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog, indicating urgent patching requirements.
#zero-day-vulnerability #palo-alto-networks #state-sponsored-attacks #lateral-movement #critical-infrastructure
Read at theregister
Unable to calculate read time
Collection
[
|
...
]