"Following the compromise, the attackers immediately conducted log cleanup to mitigate detection by clearing crash kernel messages, deleting nginx crash entries and nginx crash records, as well as removing crash core dump files. The attackers deployed a number of tools with root privileges four days later, before conducting Active Directory (AD) enumeration using the firewall's service account credentials to target domain root and DomainDnsZones."
"According to the company, a 'likely state-sponsored' threat group tracked as CL-STA-1132 was behind the attack. First exploitation attempts were observed on April 9, but were unsuccessful. The vulnerability was successfully leveraged one week later for remote code execution and Nginx worker process shellcode injection."
Palo Alto Networks disclosed CVE-2026-0300, a critical zero-day vulnerability affecting the User-ID Authentication Portal of PA and VM series firewalls. The flaw enables unauthenticated remote code execution with root privileges. A likely state-sponsored threat group tracked as CL-STA-1132 exploited the vulnerability, with initial unsuccessful attempts on April 9 followed by successful exploitation one week later. Attackers conducted extensive log cleanup, deployed tools with root privileges, performed Active Directory enumeration using firewall service account credentials, and removed evidence from audit logs. Patches are scheduled for May 13 and May 28, with mitigations and workarounds available in the interim.
#zero-day-vulnerability #palo-alto-networks-firewalls #state-sponsored-threat-actor #remote-code-execution #cve-2026-0300
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]