Palo Alto Zero-Day in Palo Alto Firewalls Exploited by Chinese State-Sponsored Group CL-STA-1132
Palo Alto Networks disclosed CVE-2026-0300, a zero-day in its User-ID Authentication Portal, exploited by the likely Chinese state-sponsored group CL-STA-1132 for root-level access.
Palo Alto Networks has disclosed a critical zero-day vulnerability, CVE-2026-0300, affecting the User-ID Authentication Portal of its PA and VM series firewalls. The flaw, which allows unauthenticated remote code execution with root privileges, has been actively exploited in the wild by a threat group tracked as CL-STA-1132. While the company has not directly attributed the attacks to a specific nation-state, the evidence strongly points to Chinese state-sponsored hacking operations.
According to Palo Alto Networks, the first exploitation attempts were observed on April 9, 2026, but were initially unsuccessful. One week later, on April 16, the attackers successfully leveraged the vulnerability to achieve remote code execution and inject shellcode into Nginx worker processes. Following the compromise, the attackers immediately conducted log cleanup to evade detection, clearing crash kernel messages, deleting Nginx crash entries and records, and removing core dump files.
Four days after the initial compromise, the attackers deployed a suite of tools with root privileges. They conducted Active Directory (AD) enumeration using the firewall's service account credentials, targeting the domain root and DomainDnsZones. After enumeration, they deleted ptrace injection evidence from the audit log and removed the SetUserID (SUID) privilege escalation binary to cover their tracks.
The threat group relied on open-source tools, including Earthworm and ReverseSocks5, to establish covert communications and bypass network defenses. Earthworm is a network tunneling tool that enables attackers to create a hidden channel, while ReverseSocks5 allows them to bypass firewalls and NAT. Palo Alto noted that the use of these tools, combined with log destruction and AD targeting, is consistent with tactics employed by Chinese APT groups such as Volt Typhoon and APT41.
Palo Alto Networks has scheduled patches for CVE-2026-0300 to be released on May 13 and May 28, 2026. In the interim, the company has provided mitigations and workarounds to prevent exploitation. The advisory urges administrators to apply the recommended configurations immediately, as the vulnerability poses a significant risk to affected firewalls.
The exploitation of this zero-day highlights the persistent threat posed by state-sponsored actors targeting critical network infrastructure. The use of open-source tools and disciplined operational cadence, as noted by Palo Alto, allowed the attackers to remain below the behavioral thresholds of most automated alerting systems. This incident underscores the importance of timely patching and proactive threat hunting in defending against sophisticated adversaries.
Palo Alto Networks has now confirmed that exploitation attempts began as early as April 9, 2026, with successful root-level RCE achieved a week later. The threat actor, tracked as CL-STA-1132, deployed EarthWorm and ReverseSocks5 for Active Directory enumeration and lateral movement, while clearing forensic artifacts to evade detection. Patches are expected May 13, 2026; in the interim, customers are urged to restrict access to the User-ID Authentication Portal and enable Threat ID 510019.