Skip to content
Briefings are running a touch slower this week while we rebuild the foundations.See roadmap
Unit 42
OrganisationUS

Unit 42

Palo Alto Networks' threat-intelligence and incident-response division; named CL-STA-1132.

Last refreshed: 8 May 2026 · Appears in 1 active topic

Key Question

Can Unit 42 be objective when the exploited vulnerability is in Palo Alto's own product?

Timeline for Unit 42

#316 Apr

Confirmed CL-STA-1132 exploitation and documented post-exploitation tradecraft

Cybersecurity: Threats and Defences: CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed
View full timeline →
Follow Cybersecurity: Threats and Defences
Common Questions
What is Unit 42 and who funds it?
Unit 42 is the threat-intelligence and incident-response division of Palo Alto Networks, funded by the commercial cybersecurity vendor. It conducts research and responds to enterprise incidents.
How did Unit 42 discover the CL-STA-1132 PAN-OS attacks?
Unit 42 confirmed exploitation of CVE-2026-0300 in PAN-OS captive portal by CL-STA-1132 since 16 April 2026, using telemetry from PAN-OS devices and Incident Response engagements to document the tradecraft.Source: Unit 42
Is Unit 42 independent from Palo Alto Networks?
Unit 42 is a division of Palo Alto Networks, not an independent body. Its research on PAN-OS vulnerabilities therefore carries a commercial sensitivity, though its findings are typically corroborated by other vendors.

Background

Unit 42 is the threat-intelligence and incident-response Arm of Palo Alto Networks, one of the world's largest cybersecurity vendors. In May 2026, Unit 42 published attribution confirming that state-sponsored cluster CL-STA-1132 had been actively exploiting CVE-2026-0300 in PAN-OS since 16 April 2026, detailing tradecraft including nginx shellcode injection, Active Directory enumeration via firewall service accounts, and systematic log destruction.

Unit 42 conducts original threat research, responds to major incidents for enterprise clients, and publishes threat-actor naming conventions used across the industry. Its cluster designations (CL- prefix for unattributed clusters; APT prefixes for attributed groups) are widely adopted by other vendors and government agencies as reference points. The unit also publishes the Unit 42 Incident Response Report annually, tracking ransomware, BEC, and nation-state trends.

The CL-STA-1132 publication places Unit 42 at the centre of the PAN-OS zero-day response — a position that carries reputational sensitivity, as the vulnerability affects Palo Alto's own product. Independent corroboration from other vendors strengthens the attribution; Unit 42's visibility into exploitation comes partly from telemetry on PAN-OS devices deployed at scale globally.

Source Material
Unit 42 — Palo Alto Networks threat intelligence