Palo Alto Networks disclosed active exploitation of CVE-2026-0300, a zero-day in the User-ID Authentication Portal of PA and VM series firewalls that enables unauthenticated remote code execution with root privileges. The attack has been linked to the likely state-sponsored group CL-STA-1132, with indicators suggesting China and tooling such as Earthworm and ReverseSocks5. #PaloAltoNetworks #CVE-2026-0300 #CL-STA-1132 #Earthworm #ReverseSocks5
Keypoints
- CVE-2026-0300 affects the User-ID Authentication Portal in PA and VM series firewalls.
- The flaw allows unauthenticated remote code execution with root privileges.
- Palo Alto Networks says the vulnerability was exploited as a zero-day.
- Attack activity was linked to CL-STA-1132, a likely state-sponsored group.
- Threat actors used Earthworm and ReverseSocks5, then cleaned logs and targeted Active Directory.