What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

CVE-2026-0300: The PAN-OS Captive Portal Zero-Day That Handed State Actors Root on 225,000 Firewalls

← Deep-Dive

0 sources verified·10 min read

By Lyrie.ai Senior Analyst Desk·5/12/2026

TL;DR

A critical buffer overflow (CVE-2026-0300, CVSSv4 9.3) in the Palo Alto Networks PAN-OS User-ID Authentication Portal allows unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls. No patches existed at the time of disclosure — fixes began rolling out May 13, 2026. The vulnerability has been actively exploited since at least April 9, 2026, by CL-STA-1132, a likely state-sponsored threat cluster. Post-exploitation activity spans log destruction, SOCKS5 tunneling via EarthWorm and ReverseSocks5, Active Directory enumeration, and cross-device lateral movement via a deliberate SAML flood. With ~225,000 internet-exposed PAN-OS instances indexed by Shodan and the bug added to CISA's KEV on Day Zero of disclosure, this is a critical, unpatched, state-actor-exploited network perimeter vulnerability. If you haven't restricted or disabled the Captive Portal, you are in the blast radius today.

Background

Palo Alto Networks firewalls sit at the perimeter of the world's most sensitive networks. More than 70,000 customers use PAN-OS globally, covering 90% of Fortune 10 companies and the largest U.S. financial institutions. The platform's reputation for hardening the enterprise edge makes it a prestige target for nation-state operators who know that compromising a firewall means compromising everything behind it.

The User-ID™ Authentication Portal — also called the Captive Portal — is a non-default PAN-OS feature that maps IP addresses to usernames when automatic mapping fails. In enterprise environments deploying guest networks, VDI, or mixed-trust zones, it is a convenience feature that gets left enabled and, critically, sometimes exposed to the public internet or semi-trusted segments.

That is the threat model CVE-2026-0300 was discovered living inside.

On May 6, 2026, Palo Alto Networks disclosed the flaw alongside an active exploitation advisory. By that same afternoon, CISA had added it to the Known Exploited Vulnerabilities catalog — a dual-track announcement that signals the industry understands this isn't a patch-when-convenient situation. Patches were not yet available on disclosure day. A state-linked actor had already been inside real networks for nearly a month.

Technical Analysis

Vulnerability Class: Heap Buffer Overflow (CWE-787)

CVE-2026-0300 is a classic out-of-bounds write (heap buffer overflow) in the User-ID Authentication Portal's packet processing path. The flaw resides in the service's handling of inbound network packets — before any authentication takes place.

An unauthenticated remote attacker sends a specially crafted packet stream to a PAN-OS device where the Authentication Portal is enabled and reachable. The malformed input overflows a heap-resident buffer in an nginx worker process that fronts the portal service. When the overflow is weaponized correctly, it provides a controlled write primitive that allows arbitrary code injection into the nginx worker's memory space. Because the nginx process running the portal does so under root privilege context on PAN-OS, successful exploitation yields immediate root-level code execution on the underlying firewall OS — no authentication, no user interaction, no additional privileges needed.

CVSSv4 Base Score: 9.3

Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope of Impact: High (Confidentiality, Integrity, Availability)
Exploit Maturity: Active (confirmed in the wild)

This puts CVE-2026-0300 firmly in the "fire-and-forget" category of critical RCEs. No phishing. No credential access. Just a malformed TCP/IP packet delivered to a publicly accessible endpoint.

Affected Versions

| Branch | Vulnerable Below | First Fixed |

|--------|-----------------|-------------|

| PAN-OS 12.1 | 12.1.4-h5 / 12.1.7 | 12.1.4-h5 (May 13) |

| PAN-OS 11.2 | 11.2.4-h17 / 11.2.7-h13 / 11.2.10-h6 / 11.2.12 | Multiple (May 13–28) |

| PAN-OS 11.1 | 11.1.4-h33 / 11.1.6-h32 / 11.1.7-h6 and others | Multiple (May 13–28) |

| PAN-OS 10.2 | 10.2.7-h34 / 10.2.10-h36 / 10.2.13-h21 and others | Multiple (May 13–28) |

Not affected: Prisma Access, Cloud NGFW, Panorama. The vulnerability is a device-local code path unique to the on-premises PA-Series and VM-Series hardware/hypervisor stack.

The CL-STA-1132 Attack Timeline

Unit 42's threat intelligence team reconstructed the attack sequence with forensic precision. The timeline reveals a patient, deliberate operation characteristic of state-sponsored APT tradecraft:

April 9, 2026 — First Contact

CL-STA-1132 begins sending exploitation attempts to a PAN-OS device. Initial attempts fail — possibly probing for the specific firmware version, timing the memory layout, or dealing with ASLR-adjacent behavior in the overflow path.

April 16, 2026 — Initial Compromise

The attackers achieve successful RCE against the device. Shellcode is injected into an nginx worker process, granting root access to the firewall operating environment. The first action taken post-compromise: aggressive log destruction. Crash kernel messages are cleared. nginx crash entries and crash records are deleted. Core dump files are removed. This isn't an afterthought — it's a practiced forensic countermeasure, indicating operational security procedures written and rehearsed ahead of the intrusion.

April 20, 2026 — Tool Deployment and AD Enumeration

Four days after initial compromise, the attackers deploy several tools with root privileges and begin Active Directory enumeration using service account credentials extracted from the firewall. The targeted structures are the domain root and DomainDnsZones — classic early-phase AD recon for mapping the internal network topology before lateral movement. Evidence of ptrace injection and SUID privilege escalation binaries is subsequently deleted from audit logs.

April 29, 2026 — Lateral Pivot via SAML Flood

The attackers execute a SAML flood attack against the original compromised device. The flood causes a secondary PAN-OS firewall to be promoted to Active status in a high-availability configuration, inheriting the same internet-facing traffic rules and service configuration. This is a sophisticated lateral move: rather than attacking the second firewall directly, the attackers weaponize the HA failover mechanism to inherit a trusted session and then compromise the second device as a natural extension. RCE is then achieved on the second firewall, with EarthWorm and ReverseSocks5 downloaded and deployed.

Post-Exploitation Tooling

The attacker's toolset is deliberately composed entirely of open-source, living-off-the-internet tools — a deliberate counter-attribution strategy that avoids proprietary malware signatures entirely.

EarthWorm is an open-source network tunneling tool written in C, supporting Windows, Linux, macOS, and ARM/MIPS platforms. It provides:

Forward and reverse SOCKS5 proxy tunneling (MITRE T1090)
Multi-hop cascaded network tunnel construction for deep pivoting (MITRE T1572)
Traffic encapsulation for RDP and SSH within SOCKS sessions

EarthWorm has appeared in prior operations attributed to Volt Typhoon, APT41, UAT-8337, and CL-STA-0046 — all China-nexus or China-linked clusters. Its presence here provides a soft attribution signal for CL-STA-1132 while deliberately maintaining plausible deniability.

ReverseSocks5 is a lightweight reverse-proxy tool designed specifically to defeat perimeter firewall rules. Rather than waiting for an inbound connection from the attacker (which would be blocked by egress controls), the implant on the compromised device initiates an outbound connection to the attacker-controlled controller. This reversal allows the attacker to tunnel arbitrary traffic through the firewall perimeter using an outbound connection that looks indistinguishable from normal HTTPS egress.

Together, the two tools create a persistent, bidirectional command-and-control channel routed through the most privileged network device in the target environment — the perimeter firewall itself.

Attack Surface Context

Shodan indexes approximately 225,000 internet-facing PAN-OS instances. Shadowserver is tracking over 5,800 VM-Series firewalls exposed online, with the heaviest concentrations in Asia (2,466) and North America (1,998). The Authentication Portal is a non-default feature, so only a subset of these are directly vulnerable to CVE-2026-0300 in its most severe form — but "non-default" does not mean "rare." In complex enterprise environments, Captive Portal is a common convenience deployment that security teams frequently overlook when inventorying exposed attack surface.

Indicators of Compromise (IOCs)

| Indicator | Type | Description |

|---|---|---|

| 67.206.213[.]86 | IPv4 | Attacker Infrastructure |

| 136.0.8[.]48 | IPv4 | Attacker Infrastructure |

| 146.70.100[.]69 | IPv4 | C2 Staging Server |

| 149.104.66[.]84 | IPv4 | Attacker Infrastructure |

| hxxp[:]//146.70.100[.]69:8000/php_sess | URL | EarthWorm Download URL |

| hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz | URL | ReverseSocks5 Download URL |

| e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 | SHA-256 | EarthWorm Binary |

| Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0 | User-Agent | Attacker Browser String |

| /var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate | File Paths | Tunneling Tool Artifacts |

| /tmp/.c | File Path | Unidentified Python Script |

| /tmp/R5, /var/R5 | File Paths | ReverseSocks5 Binary Paths |

Note: IP addresses and URLs are intentionally defanged. Re-fang only within controlled threat intelligence platforms (MISP, SIEM, VirusTotal).

Lyrie Take

This vulnerability represents a pattern we've been tracking across PAN-OS for the past 18 months: the perimeter security device as the highest-value lateral pivot point in the enterprise. Nation-state actors understand that compromising the firewall is better than compromising anything behind it. The firewall sees all traffic, holds service account credentials, manages identity mapping, and typically sits outside the EDR/XDR instrumentation perimeter. It is, in operational security terms, a root implant with no telemetry attached.

Three aspects of CL-STA-1132's operation are particularly instructive:

1. The log destruction reflex. The moment the shellcode landed in nginx, the first automated behavior was forensic erasure — not persistence, not exfiltration. This tells us the attacker's operational doctrine prioritizes dwell time over speed. They have been discovered before and learned from it. This is not a commodity actor.

2. The SAML flood lateral move. Using a SAML flood to trigger HA failover and inherit a trusted active firewall configuration is extraordinarily clever. It turns a resilience feature (high-availability) into an attack vector, requiring no additional exploitation of the second device. This is the kind of technique that only emerges from deep understanding of the product architecture, suggesting either hands-on lab testing or insider-level knowledge of PAN-OS HA behavior.

3. The exclusively open-source toolset. Every tool deployed by CL-STA-1132 is publicly available. In 2026, this is the counter-attribution standard for state actors. When your malware is someone else's GitHub repo, attribution becomes a political argument rather than a technical one. Earthworm's fingerprint links the cluster to prior China-nexus activity, but that connection is circumstantial by design.

For defenders, the practical implication is that detection must rely on behavioral patterns (unusual outbound SOCKS tunnels, AD enumeration from firewall service accounts, nginx crash log vacuuming) rather than signature-based matching on binaries that look like ordinary open-source software.

Defender Playbook

Immediate (Do Today — No Patch Required)

1. Audit Captive Portal exposure: Navigate to Device → User Identification → Authentication Portal Settings. If "Enable Authentication Portal" is checked and the interface is reachable from untrusted networks, act now.

2. Restrict or disable: Either restrict Authentication Portal access to trusted internal zones only (preferred if the feature is operationally required), or disable the portal entirely if it is not. Palo Alto Networks strongly recommends this as the primary mitigation.

3. Block at perimeter: If your firewall architecture allows it, implement upstream ACLs or NSGs blocking untrusted source IPs from reaching the Authentication Portal port (typically TCP 443 or 80 on the affected interface).

4. Search for IOC matches: Hunt the attacker IP addresses and file paths across your SIEM, EDR, and firewall logs. Pay particular attention to outbound connections to 146.70.100[.]69 and presence of /var/tmp/linuxap* artifacts.

5. Audit nginx crash logs: If you find these logs have been vacuumed or truncated on a PAN-OS device — particularly around April–May 2026 — treat that device as compromised pending investigation.

Patch Cycle (Starting May 13, 2026)

6. Patch immediately upon availability: Priority order: 11.2.4-h17, 11.1.4-h33, 11.1.6-h32, 11.1.10-h25, 11.1.13-h5, 10.2.10-h36, 10.2.18-h6 (all May 13). Remaining branches follow through May 28. Do not wait for your standard patch cadence.

7. Rotate all firewall service account credentials: CL-STA-1132 harvested service account credentials from the compromised firewall for AD enumeration. Assume any credentials cached or resolvable from a compromised PAN-OS device are burned.

8. Review HA failover event logs: Any unexpected promotions to Active in an HA pair during April–May 2026 should be investigated. The SAML flood technique would appear as a surge in SAML authentication failures followed by a failover event.

Detection Rules (SIEM/SOAR)

Alert on outbound connections from PAN-OS management IP to non-Palo Alto IPs on port 1080 (SOCKS5) or unusual high-numbered ports
Alert on presence of EarthWorm, ew, linuxap, linuxda, linuxupdate in any process or file creation events originating from PAN-OS management processes
Alert on nginx core dump deletions or crash log truncation events in PAN-OS syslogs
Baseline and alert on DomainDnsZones LDAP queries sourced from your firewall management interface

Cortex-Specific (Palo Alto Customers)

Cortex Xpanse can identify exposed Authentication Portal instances via the CVSS scan
Advanced WildFire and Advanced Threat Prevention signature updates covering CVE-2026-0300 post-exploitation behavior have been deployed
Cortex AgentiX provides real-time behavioral detection for EarthWorm SOCKS tunnel patterns

Sources

1. Palo Alto Networks Security Advisory — CVE-2026-0300: https://security.paloaltonetworks.com/CVE-2026-0300

2. Unit 42 Threat Brief — Exploitation of PAN-OS Captive Portal Zero-Day: https://unit42.paloaltonetworks.com/captive-portal-zero-day/

3. Rapid7 Emergency Threat Response — CVE-2026-0300: https://www.rapid7.com/blog/post/etr-critical-buffer-overflow-in-palo-alto-networks-pan-os-user-id-authentication-portal-cve-2026-0300/

4. BleepingComputer — Palo Alto Networks warns of firewall RCE zero-day exploited in attacks: https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-actively-exploited-firewall-zero-day/

5. CISA KEV Update — May 6, 2026: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

6. CybersecurityNews — Palo Alto Firewall Zero-Day RCE Exploited in the Wild Since April: https://cybersecuritynews.com/palo-alto-firewall-0-day-exploited/

7. Shadowserver Dashboard — PAN-OS VM-Series Firewall Exposure: https://dashboard.shadowserver.org/statistics/iot-devices/time-series/

Lyrie.ai Cyber Research Division — Senior Analyst Desk