PAN-OS
Palo Alto Networks firewall OS; CVE-2026-0300 captive portal RCE exploited by state actor since April 2026.
Last refreshed: 8 May 2026 · Appears in 1 active topic
If Palo Alto knew about exploitation on 16 April, why did the patch not ship until 13 May?
Timeline for PAN-OS
Identified as the affected product for CVE-2026-0300 with CVSS 9.3
Cybersecurity: Threats and Defences: CISA deadline for PAN-OS RCE lands four days earlyExploited via captive portal with shellcode injected into nginx worker process
Cybersecurity: Threats and Defences: CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed- Is my Palo Alto firewall vulnerable to CVE-2026-0300?
- PAN-OS versions with captive portal enabled are affected by CVE-2026-0300 (CVSS 9.3). CISA's federal deadline was 9 May 2026; Palo Alto Networks' own patch was scheduled for 13 May. Organisations should check Palo Alto's security advisory for affected versions and apply mitigations immediately.Source: CISA / Palo Alto Networks
- How did CL-STA-1132 exploit PAN-OS?
- CL-STA-1132 exploited CVE-2026-0300 to inject shellcode into PAN-OS nginx worker processes, then used the firewall's own Active Directory service account to enumerate the network, moved laterally with EarthWorm and ReverseSocks5, and destroyed logs.Source: Unit 42
- Why was the CISA PAN-OS deadline before the patch was ready?
- CISA added CVE-2026-0300 to KEV on 6 May with a 9 May deadline based on confirmed active exploitation. Palo Alto Networks stated patches would ship on 13 May — four days after the federal deadline — marking the first documented case of a KEV deadline preceding vendor patch availability.Source: CISA
Background
PAN-OS is the operating system running Palo Alto Networks' next-generation firewalls and Panorama management appliances. In May 2026, CISA added CVE-2026-0300 — an unauthenticated Remote Code Execution flaw in PAN-OS's captive portal component (CVSS 9.3) — to its Known Exploited Vulnerabilities catalogue with a 9 May federal remediation deadline, the first documented occasion a federal KEV deadline preceded the vendor's own patch availability.
State-sponsored cluster CL-STA-1132 was confirmed by Palo Alto's own Unit 42 research team to have been actively exploiting CVE-2026-0300 since 16 April 2026, weeks before the CISA listing. Post-exploitation tradecraft included shellcode injection into nginx worker processes, Active Directory enumeration via the firewall's service account privileges, lateral movement using EarthWorm and ReverseSocks5, and systematic log destruction.
PAN-OS is one of the most widely deployed firewall platforms in enterprise and government environments globally. Because firewalls sit at the perimeter, a root-level compromise turns the security control into a stepping stone for attackers. Palo Alto Networks' disclosure that its own research confirmed active exploitation of its own product before a patch was available created an unusual transparency-accountability dynamic that informed CISA's unprecedented pre-patch deadline.