Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking

Palo Alto Networks has disclosed that a critical zero-day vulnerability in its PA and VM series firewalls, tracked as CVE-2026-0300, is being actively exploited in a campaign that bears the hallmarks of Chinese state-sponsored hacking. The flaw resides in the User-ID Authentication Portal and allows unauthenticated remote code execution with root privileges. The company observed the first exploitation attempts on April 9, with a successful compromise achieved on April 16 involving Nginx worker process shellcode injection and immediate log cleanup to evade detection.

The threat actor, tracked internally as CL-STA-1132, is described by Palo Alto as a "likely state-sponsored" group. . ." group. While the company has not formally attributed the attacks to a specific country, the evidence strongly points to China. The attackers deployed open-source tools Earthworm and ReverseSocks5 for network tunneling and firewall bypass, tools that have been predominantly used by Chinese APT groups such as Volt Typhoon and APT41. Log destruction and Active Directory targeting are also consistent with Chinese state-sponsored operations.

Following the initial compromise, the attackers waited four days before deploying additional tools with root privileges. They then conducted Active Directory enumeration using the firewall's service account credentials, targeting the domain root and DomainDnsZones. After enumeration, they removed ptrace injection evidence from the audit log and deleted the SetUserID (SUID) privilege escalation binary to cover their tracks. This multi-week operational cadence, characterized by intermittent interactive sessions, was designed to stay below the behavioral thresholds of automated alerting systems.

Palo Alto Networks has scheduled patches for CVE-2026-0300 on May 13 and May 28, 2026. In the interim, the company has provided mitigations and workarounds to prevent exploitation. The vulnerability affects the User-ID Authentication Portal of PA and VM series firewalls, and administrators are urged to apply the available mitigations immediately. The company's advisory notes that the flaw allows unauthenticated remote code execution with root privileges, making it a critical risk for any organization using affected devices.

The campaign highlights the increasing sophistication of state-sponsored threat actors who rely on open-source tooling rather than proprietary malware. This approach minimizes signature-based detection and facilitates seamless integration into compromised environments. The use of Earthworm and ReverseSocks5, both commonly associated with Chinese APT groups, further reinforces the attribution. Active Directory targeting, while not exclusive to Chinese actors, is a hallmark of their operations, often aimed at establishing persistent access and moving laterally within networks.

This incident underscores the importance of proactive vulnerability management and the need for organizations to prioritize patching critical infrastructure. The exploitation of CVE-2026-0300 as a zero-day demonstrates that even well-defended networks can be compromised if vulnerabilities are not addressed promptly. Palo Alto Networks' detailed disclosure provides valuable insights into the tactics, techniques, and procedures of CL-STA-1132, enabling defenders to better detect and respond to similar attacks.

As the cybersecurity community awaits the official patches, organizations using affected Palo Alto firewalls should implement the recommended mitigations and monitor for signs of compromise. The campaign serves as a reminder that state-sponsored threat actors continue to target network perimeter devices as a primary vector for initial access, and that open-source tools can be as dangerous as custom malware when wielded by skilled adversaries.