What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Deep-Dive

0 sources verified·9 min read

By Lyrie Threat Intelligence·5/9/2026

CVE-2026-0300: The PAN-OS Captive Portal Zero-Day That Handed State Actors the Keys to the Kingdom

TL;DR

A critical, unpatched buffer overflow in the Palo Alto Networks PAN-OS User-ID Authentication Portal (Captive Portal) allows an unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. Tracked as CVE-2026-0300 (CVSS 9.3), the vulnerability has been actively exploited by a likely state-sponsored threat actor since at least April 9, 2026 — four weeks before Palo Alto disclosed it publicly. Unit 42 is tracking this activity cluster as CL-STA-1132. A first wave of patches lands May 13, 2026, but as of writing the vulnerability remains unpatched across the entire installed base. With over 5,800 VM-Series firewalls internet-exposed and Fortune 10 companies counting on these devices as their perimeter chokepoint, the blast radius is severe.

Background: Why PAN-OS Firewalls Are State-Sponsored Gold

Palo Alto Networks is not a commodity vendor. Its Next-Generation Firewalls sit at the network perimeter of 70,000+ enterprise and government customers, including 90% of the Fortune 10 and most major U.S. financial institutions. That makes PAN-OS devices one of the highest-value targets in existence for nation-state operators: own the firewall, own the enterprise. You get east-west visibility, credential access, the ability to intercept and manipulate traffic, and — critically — a persistent foothold that is often overlooked in hunt operations because "the firewall is the security tool, not the attack surface."

This is not the first time PAN-OS has been exploited at scale. In November 2024, thousands of firewalls were compromised via a chained two-zero-day campaign. February 2026 saw three additional PAN-OS flaws abused against internet-facing management interfaces. The cadence is accelerating: sophisticated actors have clearly prioritized sustained R&D investment in PAN-OS attack surface research. CVE-2026-0300 is the sharpest result of that investment yet.

Technical Analysis: Buffer Overflow in the Captive Portal Service

The Vulnerable Component

The User-ID Authentication Portal — commonly called the Captive Portal — is a PAN-OS service used to authenticate users whose identities cannot be automatically mapped by the firewall's User-ID agent. When an unknown host tries to access a restricted zone, the firewall redirects the client to the Captive Portal, which prompts for credentials before granting access. The portal listens on TCP ports 6081 and 6082 and is designed to be accessible from any interface the administrator has configured — including, dangerously, internet-facing L3 interfaces.

The Bug Class

CVE-2026-0300 is a classic out-of-bounds write (buffer overflow) in the Captive Portal service. By sending a specially crafted packet sequence, an unauthenticated attacker can corrupt heap or stack memory adjacent to the target buffer. The vulnerability is pre-authentication — no credentials, no session, no prior knowledge of the target environment is required beyond network reachability to the portal endpoint.

Successful exploitation yields arbitrary code execution with root privileges directly in an nginx worker process. From there, the attacker controls the firewall OS, its configuration, any stored credentials, and the entire routing fabric the device touches.

Wiz analysis confirmed that exploitation risk is specifically tied to whether the Authentication Portal is reachable from untrusted/internet-facing IPs. Palo Alto's advisory framing of "limited exposure" should not obscure the structural reality: Shadowserver identified 5,800+ VM-Series instances exposed on the public internet. Shodan identified 67 instances with port 6081 exposed directly. Each of those is a live trigger for a weaponized exploit that is already in active use.

Attack Chain Reconstruction (CL-STA-1132)

Unit 42's investigation into the CL-STA-1132 cluster reconstructed a textbook state-actor exploitation timeline with forensic precision:

April 9, 2026 — Reconnaissance and Failed Attempts

Initial exploitation attempts against a targeted PAN-OS device. The attempts logged crash artifacts but failed to achieve execution — suggesting a development/tuning phase where the actor was adjusting their exploit against the specific target build version.

April 16, 2026 — Initial RCE Achieved

Approximately one week after the failed probes, the attackers successfully achieved RCE and injected shellcode into a running nginx worker process. The five-second delay between shellcode injection and the first post-exploitation command is consistent with shellcode execution over a reverse shell or staged payload loader.

Immediate Post-Compromise — Forensic Evasion

Within minutes of gaining root, the attackers executed a systematic log destruction sequence:

Cleared crash kernel messages
Deleted nginx crash entries and crash records
Removed crash core dump files from disk

This is not the behavior of commodity ransomware or script-kiddie tooling. The deliberate elimination of the exact artifacts that would surface in a forensic investigation is a hallmark of disciplined, well-resourced threat actors with explicit operational security mandates.

April 20, 2026 — Tool Deployment and AD Enumeration

Four days post-compromise, the attackers deployed tools with root privileges and initiated Active Directory enumeration using the firewall's own stored service account credentials. They targeted domain root and DomainDnsZones — standard targets for understanding AD topology in preparation for lateral movement or Kerberoasting.

They then deleted ptrace injection evidence from audit logs and removed the SetUserID (SUID) binary used for privilege escalation — once again: operational security over speed.

April 29, 2026 — SAML Flood Pivot

The attackers executed a SAML flood attack against the first compromised device. This caused a secondary HA (High Availability) peer to be promoted to Active status, inheriting the same internet-facing traffic configuration. The attacker then immediately exploited CVE-2026-0300 against this second device, achieving RCE and downloading their full toolset.

Tunneling Infrastructure: EarthWorm + ReverseSocks5

The actor chose exclusively open-source tooling, avoiding any proprietary malware that could generate vendor signatures:

EarthWorm — an open-source C network tunneling tool supporting SOCKS5 proxy tunneling and multi-hop cascaded paths. Previously linked to Volt Typhoon, APT41, UAT-8337, and CL-STA-0046. Used here to establish covert communication channels from the compromised firewall to attacker-controlled infrastructure (MITRE T1090, T1572).
ReverseSocks5 — establishes outbound SOCKS5 proxy tunnels from the compromised device to an attacker-controlled listener, bypassing NAT and perimeter controls to route traffic into the internal network.

The use of living-off-the-land tooling combined with open-source offensive utilities mirrors TTPs attributed to Chinese state-sponsored operators in recent CISA/NSA joint advisories. No formal attribution to a specific APT has been published; Unit 42's "likely state-sponsored" language is their standard threshold for nation-state-grade TTPs without confirmed government ties.

Affected Versions and Patch Timeline

|---|---|---|---|

| 12.1 | < 12.1.4-h5 | 12.1.4-h5 | May 13, 2026 |

| 12.1 | < 12.1.7 | 12.1.7 | May 28, 2026 |

| 11.2 | < 11.2.10-h6 | 11.2.10-h6 | May 13, 2026 |

| 11.2 | < 11.2.4-h17 | 11.2.4-h17 | May 28, 2026 |

| 11.1 | < 11.1.4-h33 | 11.1.4-h33 | May 13, 2026 |

| 11.1 | < 11.1.10-h25 | 11.1.10-h25 | May 13, 2026 |

| 10.2 | < 10.2.10-h36 | 10.2.10-h36 | May 13, 2026 |

| 10.2 | < 10.2.18-h6 | 10.2.18-h6 | May 13, 2026 |

Not affected: Prisma Access, Cloud NGFW, Panorama appliances.

Indicators of Compromise (IOCs)

| Indicator | Type | Description |

|---|---|---|

| 67.206.213[.]86 | IP Address | CL-STA-1132 Attacker Infrastructure |

| 136.0.8[.]48 | IP Address | CL-STA-1132 Attacker Infrastructure |

| 146.70.100[.]69 | IP Address | C2 Staging Server |

| 149.104.66[.]84 | IP Address | CL-STA-1132 Attacker Infrastructure |

| hxxp[:]//146.70.100[.]69:8000/php_sess | URL | EarthWorm Download URL |

| hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz | URL | ReverseSocks5 Download |

| e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 | SHA-256 | EarthWorm Binary |

| Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0 | User-Agent | CL-STA-1132 Attacker UA |

| /var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate | File Paths | Tunneling Tool Artifacts |

| /tmp/.c | File Path | Unidentified Python Script |

| /tmp/R5, /var/R5 | File Paths | ReverseSocks5 Binary Paths |

Defang before deploying to production SIEM; re-fang only within controlled TI platforms (MISP, VirusTotal, Cortex XSOAR).

Lyrie Take: The Firewall Blind Spot Problem Is Structural

What CVE-2026-0300 exposes is not a coding mistake — it is a category-level architecture flaw in how enterprises think about security devices.

Firewalls, VPN gateways, and network appliances occupy a unique and dangerous position: they are simultaneously the highest-trust devices in the network and the ones with the least endpoint detection coverage. No EDR agent runs on PAN-OS. No behavioral analytics platform has a sensor inside the firewall kernel. When a state actor shellcodes into an nginx worker process and immediately destroys the logs, there is — in the absence of external telemetry collection — essentially nothing to find.

This is why the CL-STA-1132 campaign is so instructive: the attackers understood this blind spot deeply and exploited it methodically. The SAML flood pivot was especially elegant — by triggering an HA failover, they acquired a fresh, identical device without triggering any additional exploitation alerts, because from the AD environment's perspective, the new Active peer is the same firewall it has always been.

Lyrie's autonomous detection architecture addresses this gap by treating network perimeter devices as untrusted black boxes that must be audited from the outside-in: we instrument the traffic, the authentication flows, the AD query patterns, and the lateral movement signatures — not the appliance itself. When a firewall suddenly starts querying DomainDnsZones with a service account, that is detectable. When tunneling connections appear on TCP 6081 from an unexpected geographic source, that is detectable. The appliance's own log destruction cannot erase what Lyrie captured on the wire.

Defender Playbook

Immediate (Today):

1. Audit Captive Portal exposure. Navigate to Device > User Identification > Authentication Portal Settings. If "Enable Authentication Portal" is checked, verify the interface binding. Any configuration where the portal is accessible from an untrusted zone or the public internet is at critical risk.

2. Restrict or disable. Implement an Interface Management Profile that blocks Captive Portal access from any untrusted source IP. If Captive Portal functionality is not operationally required, disable it entirely.

3. Hunt for IOCs. Deploy the IOC table above across your SIEM, NGFW outbound logs, EDR, and proxy logs. Prioritize the attacker IP addresses and the file paths on any PAN-OS device you manage.

4. Review nginx crash logs. Check /var/log/nginx/ and crash dumps for any anomalous terminations in the April–May 2026 window. CL-STA-1132 deleted them from the device, but if you forward logs externally (Panorama, syslog, SIEM), you may still have artifacts.

5. Audit service account AD activity. Query your domain controllers for any LDAP queries originating from your firewall's service account, particularly against DomainDnsZones or the domain root. Anomalous AD enumeration from a firewall SA is a strong compromise indicator.

Short-Term (Patch Window):

6. Prioritize May 13 patches. For branches receiving fixes on May 13 (see version table above), patch immediately upon release. Do not wait for your regular maintenance window.

7. Enable Advanced Threat Prevention. Palo Alto confirms ATP detects known exploit patterns for CVE-2026-0300 if signatures are updated.

8. Deploy Cortex Xpanse (or an equivalent ASM tool) to continuously inventory your exposure on TCP 6081/6082 across your external attack surface.

Structural:

9. Zero-trust your firewall management. Management interfaces should never be internet-accessible. Apply the same zero-trust principles to the security device itself as you apply to everything behind it.

10. Instrument HA failover events. Treat any unexpected SAML flood or HA failover event as a potential pivot signal, not just a redundancy event.