CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active exploitation of PAN-OS RCE zero-day CVE-2026-0300 via User-ID Authentication Portal

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

State-sponsored threat actors have exploited a critical PAN-OS firewall zero-day tracked as CVE-2026-0300 since April 9, 2026. The vulnerability, a buffer overflow in the User-ID Authentication Portal (Captive Portal), allows unauthenticated remote code execution (RCE) with root privileges on Internet-exposed PA-Series and VM-Series firewalls. Attackers achieved initial compromise between April 16 and 17, 2026, then deployed tunneling tools EarthWorm and ReverseSocks5 for persistent access and lateral movement. The exploit targets edge network devices frequently exposed to the internet, where logging and endpoint defenses are often minimal, enabling stealthy post-compromise activity including log wiping and shellcode injection.

Timeline

  1. 07.05.2026 13:57 1 articles · 2h ago

    CVE-2026-0300 exploitation timeline and post-compromise activity disclosed

    State-sponsored threat actors began exploiting CVE-2026-0300 on or before April 9, 2026, achieving initial RCE between April 16 and 17, 2026. Post-compromise activity included log wiping to erase evidence and deployment of EarthWorm and ReverseSocks5 tunneling tools for persistent access and network traversal. CISA added CVE-2026-0300 to the KEV catalog on May 7, 2026, ordering federal agencies to remediate by May 9, 2026. Palo Alto Networks plans to release patches starting May 13, 2026.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-0300 is a critical remote code execution flaw in PAN-OS User-ID Authentication Portal (Captive Portal), stemming from a buffer overflow allowing unauthenticated RCE with root privileges.

    First reported: 07.05.2026 13:57
    1 source, 1 article
    Show sources

  • Exploitation began no later than April 9, 2026, with initial successful RCE achieved between April 16 and 17, 2026, followed by immediate log cleanup to evade detection.

    First reported: 07.05.2026 13:57
    1 source, 1 article
    Show sources

  • Attackers deployed EarthWorm and ReverseSocks5 tunneling tools to establish covert communication channels and proxy tunnels on compromised firewalls.

    First reported: 07.05.2026 13:57
    1 source, 1 article
    Show sources

  • EarthWorm has prior associations with Chinese-speaking threat groups including CL-STA-0046, Volt Typhoon, UAT-8337, and APT41.

    First reported: 07.05.2026 13:57
    1 source, 1 article
    Show sources

  • Over 5,400 PAN-OS VM-Series firewalls are exposed on the internet, predominantly in Asia (2,466) and North America (1,998), according to Shadowserver.

    First reported: 07.05.2026 13:57
    1 source, 1 article
    Show sources

  • Palo Alto Networks states that Cloud NGFW and Panorama appliances are not impacted by CVE-2026-0300.

    First reported: 07.05.2026 13:57
    1 source, 1 article
    Show sources

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) Catalog on May 7, 2026, mandating FCEB agencies to remediate by May 9, 2026.

    First reported: 07.05.2026 13:57
    1 source, 1 article
    Show sources