A newly disclosed critical vulnerability affecting Palo Alto Networks PAN-OS software may have been targeted by attackers weeks before public disclosure, according to new findings from the company’s Unit 42 threat intelligence team.
The flaw, tracked as CVE-2026-0300, is a high-severity buffer overflow vulnerability impacting the User-ID Authentication Portal service in PAN-OS. The issue carries a CVSS score of 9.3/8.7 and could allow a remote, unauthenticated attacker to execute arbitrary code with root-level privileges by sending specially crafted network packets.
Although security patches are not expected until May 13, 2026, Palo Alto Networks is urging organizations to immediately limit access to the User-ID Authentication Portal to trusted internal zones or disable the feature entirely if it is not required.
In a security advisory released Wednesday, the company confirmed it has observed limited exploitation activity tied to the flaw. The attacks are being monitored under the threat cluster name CL-STA-1132, which researchers believe may be linked to a state-sponsored cyber espionage operation, although attribution remains unclear.
According to Unit 42 researchers, attackers successfully exploited the vulnerability to gain remote code execution on vulnerable PAN-OS devices. After compromising a target, the attackers injected shellcode directly into an nginx worker process running on the firewall appliance.
Investigators said the earliest unsuccessful exploitation attempts were detected on April 9, 2026. About a week later, the attackers reportedly succeeded in compromising a device and deploying malicious payloads.
Following initial access, the threat actors attempted to erase evidence of the intrusion by deleting nginx crash logs, removing kernel crash messages, and wiping core dump files associated with the attack activity.
Researchers also observed post-compromise actions that included Active Directory enumeration and the deployment of additional tools such as EarthWorm and ReverseSocks5 on a second compromised device on April 29, 2026. Both utilities have previously been associated with several China-linked threat groups involved in cyber espionage campaigns.
Unit 42 noted that nation-state attackers have increasingly shifted their attention toward edge infrastructure devices such as firewalls, VPN appliances, routers, hypervisors, and IoT systems over the past several years. These systems often provide elevated network access while lacking the endpoint monitoring and logging protections commonly deployed on traditional workstations and servers.
The researchers added that the attackers behind CL-STA-1132 relied heavily on open-source tools instead of custom malware. This approach helped reduce detection risks and allowed the operation to blend more naturally into the target environment. The activity was also spread out over several weeks using intermittent sessions designed to avoid triggering automated security alerts.