Ddos 
Palo Alto Networks has released a high-priority security advisory and a detailed intelligence report following the discovery of a critical buffer overflow vulnerability in its PAN-OS software. Tracked as CVE-2026-0300, the flaw targets the User-ID Authentication Portal (also known as the Captive Portal) and has already been weaponized in a series of targeted, state-sponsored attacks.
The flaw allows a remote, unauthenticated attacker to execute arbitrary code with the highest possible privileges on the device. According to the Palo Alto Networks advisory, “A buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets”.
By sending these malicious packets through network traffic, attackers can bypass security boundaries and inject shellcode directly into system processes, such as the nginx worker process, effectively seizing total control of the gateway.
Palo Alto Networks’ Unit 42 is currently tracking CL-STA-1132, a sophisticated threat cluster likely backed by a nation-state, which has been observed exploiting this zero-day. These actors have displayed remarkable operational restraint to maintain long-term residency on compromised infrastructure.
Key post-exploitation tactics include:
- Credential Theft: Harvesting credentials directly from the firewall to enumerate Active Directory environments.
- Public Tooling: Deploying widely available tunneling tools like EarthWorm and ReverseSocks5 to blend in with legitimate administrative traffic.
- Evidence Destruction: Systematically destroying logs to hide their footprint.
- Identity Over Network: The campaign “prioritized identity trust abuse over traditional network-layer pivoting,” allowing the attackers to move laterally while staying below the radar of automated detection systems.
The report highlights a growing trend where advanced persistent threat (APT) groups shift their focus away from standard endpoints toward high-privilege edge-network assets.
As Unit 42 researchers conclude,Β “Over the last five years, nation-state threat actors engaged in cyber espionage have increasingly focused their efforts on edge-network technological assets… which provide high-privilege access while often lacking the robust logging and security agents found on standard endpoints”.
Immediate Mitigation Steps:
- Restrict Access: Immediately secure the User-IDβ’ Authentication Portal by restricting access to only trusted, internal IP addresses.
- Disable if Unused: If the portal is not required for your organizationβs workflow, disable it entirely to close the attack vector.
- Update PAN-OS: Apply the latest security patches for your specific version of PAN-OS immediately.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
