
Unit 42
Palo Alto Networks' threat-intelligence and incident-response division; named CL-STA-1132.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Can Unit 42 be objective when the exploited vulnerability is in Palo Alto's own product?
Timeline for Unit 42
Mentioned in: AI orchestration flaw joins CISA's KEV
Cybersecurity: Threats and DefencesMentioned in: West Pharma SEC 8-K on ransomware halt
Cybersecurity: Threats and DefencesConfirmed CL-STA-1132 exploitation and documented post-exploitation tradecraft
Cybersecurity: Threats and Defences: CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmedWhat is Unit 42 and who funds it?
How did Unit 42 discover the CL-STA-1132 PAN-OS attacks?
Is Unit 42 independent from Palo Alto Networks?
Background
Unit 42 is the threat-intelligence and incident-response Arm of Palo Alto Networks, one of the world's largest cybersecurity vendors. In May 2026, Unit 42 published attribution confirming that state-sponsored cluster CL-STA-1132 had been actively exploiting CVE-2026-0300 in PAN-OS since 16 April 2026, detailing tradecraft including nginx shellcode injection, Active Directory enumeration via firewall service accounts, and systematic log destruction.
Unit 42 conducts original threat research, responds to major incidents for enterprise clients, and publishes threat-actor naming conventions used across the industry. Its cluster designations (CL- prefix for unattributed clusters; APT prefixes for attributed groups) are widely adopted by other vendors and government agencies as reference points. The unit also publishes the Unit 42 Incident Response Report annually, tracking ransomware, BEC, and nation-state trends.
The CL-STA-1132 publication places Unit 42 at the centre of the PAN-OS zero-day response — a position that carries reputational sensitivity, as the vulnerability affects Palo Alto's own product. Independent corroboration from other vendors strengthens the attribution; Unit 42's visibility into exploitation comes partly from telemetry on PAN-OS devices deployed at scale globally.