What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Deep-Dive

0 sources verified·11 min read

By Lyrie Research Division·5/7/2026

Root on the Perimeter: CVE-2026-0300 — The PAN-OS Captive Portal Zero-Day Being Exploited by State Actors Right Now

TL;DR

A critical, currently unpatched buffer overflow vulnerability (CVE-2026-0300, CVSS 9.3) in Palo Alto Networks' PAN-OS User-ID Authentication Portal allows unauthenticated remote attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. Active exploitation has been confirmed since at least April 9, 2026, attributed by Palo Alto's Unit 42 to a likely state-sponsored cluster designated CL-STA-1132. CISA added it to the Known Exploited Vulnerabilities catalog on May 6, 2026. Patches begin arriving May 13. Until then, your firewall may be your biggest liability.

Background: When Your Perimeter Device Is the Attack Surface

There is a grim irony at the heart of enterprise network security: the very devices deployed to stop attackers are, increasingly, their preferred entry point. Palo Alto Networks firewalls run PAN-OS — a hardened, purpose-built network operating system deployed at the edge of some of the most sensitive networks on the planet: defense contractors, financial institutions, critical infrastructure operators, and government agencies. They are trusted implicitly by the networks behind them.

That trust makes them extraordinarily valuable targets.

CVE-2026-0300 is the latest chapter in an ongoing saga of perimeter device exploitation that has characterized the threat landscape since at least 2020. Before this disclosure, we saw serial exploitation of Ivanti Connect Secure, Citrix NetScaler, Fortinet FortiGate, and Palo Alto's own PAN-OS in the CVE-2024-3400 campaign. The pattern is consistent: nation-state actors identify a memory corruption flaw in an internet-facing service, weaponize it silently, exploit a narrow window before disclosure, and achieve the highest-value initial access in enterprise security — root on the firewall, with full visibility into every packet crossing the perimeter.

CVE-2026-0300 fits the pattern with alarming precision.

Technical Analysis: The Anatomy of a Captive Portal Buffer Overflow

The Vulnerable Component

The flaw resides in the User-ID Authentication Portal, commonly called the Captive Portal, a feature of PAN-OS that enables user-based policy enforcement. When a device connects to a network segment managed by the firewall, the portal can intercept unidentified traffic and redirect users to a login page to capture identity information before allowing access. It is a legitimate enterprise feature — but one that, when exposed to untrusted networks, becomes a listening service reachable by any adversary on the internet.

The root cause is classified as CWE-787: Out-of-Bounds Write — a buffer overflow condition. By crafting a sequence of malformed network packets directed at the Captive Portal service, an unauthenticated attacker can overflow a memory buffer. Because the service fails to perform adequate bounds checking on attacker-controlled input, the overflow corrupts adjacent memory, ultimately allowing the attacker to overwrite function pointers or return addresses and redirect program execution to arbitrary shellcode.

Privilege Escalation Is Baked In

Here is the detail that elevates this from "serious" to "catastrophic": exploitation does not require a separate privilege escalation step. The Captive Portal service runs natively as root. The attacker's shellcode executes at root level the moment the overflow succeeds. There is no post-exploitation privilege escalation phase — initial access is root access on the underlying PAN-OS system.

The nginx Injection Vector

According to Unit 42's post-exploitation forensics on cluster CL-STA-1132, successful exploitation resulted in shellcode injection directly into an nginx worker process. Nginx is integral to PAN-OS's web-serving infrastructure, managing the HTTP/HTTPS layer that handles portal interactions. Injecting into an nginx worker gives the attacker persistent code execution within a process that runs continuously, has network socket access, and maintains established connections — a near-ideal beachhead.

CVSS Context: Configuration-Dependent Severity

Palo Alto Networks has published two CVSS scores depending on deployment posture:

CVSS 9.3 (Critical): Captive Portal is exposed to the public internet or untrusted networks — the highest-risk deployment, unfortunately common in organizations using the portal for guest network authentication.
CVSS 8.7 (High): Captive Portal is restricted exclusively to trusted internal IP addresses — still critical, but requires an attacker to have already achieved internal network access before reaching the service.

The distinction matters for prioritization but should not be a reason for complacency. Internal network access is not a high bar for a determined state-sponsored actor with lateral movement capability.

The Exploitation Campaign: CL-STA-1132 Timeline

Unit 42's threat intelligence provides unusually detailed visibility into the attacker's methodology, reconstructed from forensic artifacts on two compromised firewalls. The campaign timeline documents a methodical, patient actor:

April 9, 2026 — Unsuccessful exploitation attempts logged against a target PAN-OS device. The attacker tests the vulnerability but fails to achieve RCE on the first attempt — suggesting early weaponization of a freshly discovered zero-day, with payloads still being refined.

April 16, 2026 — Successful RCE achieved; shellcode injected into nginx worker process. Within hours of gaining root, the attacker executed aggressive anti-forensics operations: clearing crash kernel messages, deleting nginx crash logs and core dump files, and purging evidence of the initial intrusion vector. This forensic hygiene phase is a signature behavior of sophisticated, operations-security-conscious threat actors.

April 20, 2026 — Multiple post-exploitation tools deployed with root privileges. Active Directory enumeration commenced using service account credentials harvested directly from the compromised firewall — a critical capability, since PAN-OS devices often hold AD service account credentials for integration with directory-based authentication policies. The attacker targeted domain root and DomainDnsZones, mapping the internal network structure. Evidence of ptrace injection and SUID privilege escalation binaries was subsequently deleted from audit logs.

April 29, 2026 — The attacker executed a SAML flood attack against the first compromised firewall, deliberately inducing a failover that promoted a secondary device to Active status. The secondary device inherited the same internet-facing traffic configuration — and was then compromised using the same RCE vector, achieving lateral movement across the organization's firewall cluster.

Post-Exploitation Tooling: Living Off the Open-Source Land

The attacker's tool selection reflects deliberate tradecraft: instead of proprietary malware that could be signature-detected, CL-STA-1132 relied exclusively on publicly available, open-source utilities:

EarthWorm — A multi-platform network tunneling tool (Windows, Linux, macOS, ARM/MIPS) used to establish SOCKS5 proxy tunnels and multi-hop cascaded network paths. EarthWorm has previously been linked to multiple Chinese state-affiliated clusters including Volt Typhoon, APT41, UAT-8337, and CL-STA-0046 — a lineage that, while not definitive, sharpens the attributional profile of CL-STA-1132 considerably.

ReverseSocks5 — A complementary tunneling utility establishing outbound SOCKS5 proxy connections from the compromised firewall to an attacker-controlled controller, bypassing NAT and egress firewall rules to provide persistent, bidirectional network access into the target's internal environment.

The exclusive use of open-source tooling is a hallmark of mature APT operations: it complicates attribution, defeats signature-based detection that relies on proprietary implant databases, and leverages the plausible deniability of tools available to any researcher.

Affected Versions

Every supported PAN-OS major branch is affected. Patch availability is staggered across two deployment windows (May 13 and May 28, 2026):

| PAN-OS Branch | Vulnerable Through | First Fix ETA |

|---|---|---|

| 12.1 | < 12.1.4-h5 / < 12.1.7 | 05/13 / 05/28 |

| 11.2 | < 11.2.4-h17, < 11.2.7-h13, < 11.2.10-h6, < 11.2.12 | 05/13–05/28 |

| 11.1 | < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15 | 05/13–05/28 |

| 10.2 | < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6 | 05/13–05/28 |

Not affected: Prisma Access, Cloud NGFW, Panorama appliances.

Shodan reconnaissance as of May 6, 2026 identified 67 PAN-OS instances publicly exposing port 6081 (the Captive Portal port) — the primary attack surface. Port 6082 showed no exposed instances. While 67 is a small absolute number, these represent organizations that have misconfigured their firewall deployment and are the most immediately at risk. The realistic exploitable universe is broader: any organization where the portal is reachable from untrusted internal network segments (e.g., guest Wi-Fi, contractor VLANs, cloud peering connections) without IP restriction.

Indicators of Compromise (IOCs)

The following attacker infrastructure was identified by Unit 42 during analysis of the CL-STA-1132 campaign:

| Indicator | Type | Description |

|---|---|---|

| 67.206.213[.]86 | IP Address | Attacker Infrastructure |

| 136.0.8[.]48 | IP Address | Attacker Infrastructure |

| 146.70.100[.]69 | IP Address | C2 Staging Server |

| EarthWorm binary | Tool | Open-source tunneling — confirm via hash/process name |

| ReverseSocks5 binary | Tool | Open-source SOCKS5 reverse proxy |

Forensic artifacts to hunt for:

Unexpected nginx worker process crashes or restarts (may be logged before anti-forensics wipe)
Missing or truncated /var/log/pan/ entries — deliberate log gaps are a strong IOC
Unexpected outbound SOCKS5/TCP connections on high ports from the firewall management plane
AD enumeration queries (DomainDnsZones, domain root) originating from firewall service accounts
SUID binaries in non-standard locations (/tmp, /var/tmp, firewall application directories)
ptrace events associated with nginx worker PIDs

MITRE ATT&CK Mapping

| Tactic | Technique | Implementation |

|---|---|---|

| Initial Access | T1190 — Exploit Public-Facing Application | Crafted packets to internet-exposed PAN-OS Captive Portal |

| Execution | T1203 — Exploitation for Client/Server Execution | CWE-787 buffer overflow triggering shellcode via nginx worker injection |

| Privilege Escalation | T1068 — Exploitation for Privilege Escalation | Root execution inherited from Captive Portal service |

| Defense Evasion | T1562 — Impair Defenses | Crash log deletion, core dump removal, audit log purging |

| Defense Evasion | T1070 — Indicator Removal | Systematic erasure of forensic artifacts post-compromise |

| Discovery | T1046 — Network Service Discovery | Internet scanning for port 6081 prior to exploitation |

| Discovery | T1018 — Remote System Discovery | AD enumeration from firewall service accounts |

| Lateral Movement | T1021 — Remote Services / SAML-induced failover | SAML flood causing secondary device promotion, re-exploitation |

| Command and Control | T1090 — Proxy (T1572 — Protocol Tunneling) | EarthWorm SOCKS5 tunnels, ReverseSocks5 outbound C2 |

Lyrie Take

This is not a routine enterprise vulnerability disclosure. This is a confirmed, ongoing state-sponsored intrusion campaign against one of the most sensitive control points in enterprise networks — and the patch isn't coming until next week.

Several dimensions make CVE-2026-0300 particularly dangerous in the current threat landscape:

*1. The firewall is the incident response blind spot. Most organizations route security telemetry through* their firewalls — logs, alerts, SIEM feeds. When an attacker compromises the firewall itself and wipes logs, they create a forensic dead zone precisely in the one location that would otherwise provide the most comprehensive network visibility. CL-STA-1132 understood this perfectly: their first priority after achieving RCE was destroying evidence. Organizations will have no way to accurately scope the damage from this campaign if they were compromised before the advisory.

2. The credential harvest from the firewall is underappreciated. PA-Series firewalls frequently hold service account credentials for Active Directory integration, RADIUS/LDAP authentication, and certificate-based identity. Obtaining root on the firewall means obtaining those credentials — and AD credentials harvested this way are fully valid, require no additional cracking, and provide domain authentication that looks identical to legitimate service account activity. The post-exploitation AD enumeration by CL-STA-1132 confirms this is exactly what happened.

3. The EarthWorm lineage is a meaningful signal. The connection between EarthWorm usage and multiple Chinese state-affiliated clusters (Volt Typhoon, APT41) is well-documented in historical Unit 42 and CISA advisories. While tooling overlap alone does not constitute attribution, it places CL-STA-1132 within an established operational ecosystem. Organizations in sectors historically targeted by Chinese state actors — defense, telecommunications, critical infrastructure, technology — should treat this as elevated-priority threat.

4. The SAML failover pivot is tactically sophisticated. Deliberately inducing a SAML-layer flood to trigger automatic failover to a secondary firewall — and then exploiting the secondary device — is not an improvised technique. It required prior knowledge of the target's HA architecture, careful orchestration, and confidence in their ability to replicate the exploit against a freshly promoted active device. This is not opportunistic exploitation; it is a targeted, persistent campaign with operational planning behind it.

Defender Playbook

Given the absence of an available patch, security teams must act immediately on mitigations. Here is the prioritized response sequence:

Immediate (next 24 hours):

1. Audit your Captive Portal exposure. Log into every PA-Series and VM-Series firewall and check Device > User Identification > Authentication Portal Settings. Determine whether the portal is enabled and which interfaces/zones can reach it.

2. Restrict to trusted zones immediately. If the portal must remain enabled, ensure it is accessible only from explicitly trusted internal IP ranges. Remove any configuration that allows the portal to respond to internet-facing interfaces or untrusted network zones. This drops the CVSS from 9.3 to 8.7 and removes the primary attack surface exploited by CL-STA-1132.

3. Disable the portal if not required. If your organization does not actively use the User-ID Authentication Portal feature, disable it entirely. This eliminates the attack surface completely.

4. Update Threat Prevention signatures. For PAN-OS 11.1 and above, Palo Alto has released an emergency Threat Prevention signature to block exploitation attempts. Confirm your threat prevention feeds are current and signatures are applied.

5. Firewall log integrity audit. Review nginx crash logs, kernel panic logs, and authentication portal access logs. Gaps, truncations, or deletions in these logs between April 9 and today are a strong indicator of compromise.

Short-term (next 7 days):

6. Patch on May 13. Apply the first available fixed version for your PAN-OS branch the moment it releases. Do not delay. Every day without a patch is exposure to a confirmed state-sponsored actor with a working exploit.

7. Hunt for post-exploitation IOCs. Scan for EarthWorm and ReverseSocks5 binaries on compromised or suspect firewalls. Check for unexpected outbound connections on SOCKS5 protocols. Review firewall service account activity in your AD logs for anomalous enumeration queries.

8. Network segmentation review. Map all network paths that could reach the Captive Portal service from untrusted segments (contractor VLANs, cloud peering, guest Wi-Fi ingress points). Restrict at the network layer if interface-level restriction has any gaps.

Strategic:

9. Reconsider internet-exposed authentication portals. The broader lesson from years of perimeter device exploitation is clear: any internet-accessible service on a security appliance is a potential attack surface. Authentication portals, management interfaces, and VPN endpoints exposed to the public internet should be considered high-risk configurations requiring compensating controls (IP allowlisting, zero-trust network access, MFA layering) as a baseline — not as optional hardening.

10. Establish out-of-band logging. Firewall logs should be streamed in real time to an external SIEM over a management network path that bypasses the data-plane interfaces. An attacker who compromises a firewall should not be able to erase the log trail by manipulating local files.

Sources

Palo Alto Networks Security Advisory: https://security.paloaltonetworks.com/CVE-2026-0300
Unit 42 Campaign Tracking (CL-STA-1132): https://unit42.paloaltonetworks.com/captive-portal-zero-day/
CISA KEV Catalog (CVE-2026-0300 added 2026-05-06): https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Wiz Threat Analysis: https://www.wiz.io/blog/critical-vulnerability-in-pan-os-exploited-in-the-wild-cve-2026-0300
The Hacker News Coverage: https://thehackernews.com/2026/05/palo-alto-pan-os-flaw-under-active.html
CyberSecurityNews Campaign Timeline: https://cybersecuritynews.com/palo-alto-firewall-0-day-exploited/
SecurityWeek APT Attribution Analysis: https://www.securityweek.com/palo-alto-networks-to-patch-zero-day-exploited-to-hack-firewalls/
Threat Landscape Advisory: https://threatlandscape.io/blog/zero-day-cve-2026-0300-palo-alto-panos-rce-active-exploitation
Help Net Security (State Actor Attribution): https://www.helpnetsecurity.com/2026/05/07/state-sponsored-hackers-zero-day-attacks-palo-alto-firewalls/

Lyrie.ai Cyber Research Division — Senior Analyst Desk