"The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) in PAN-OS software. Upon successful exploitation, the attacker was able to inject shellcode into an nginx worker process."
"CVE-2026-0300 (CVSS score: 9.3/8.7), a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets."
"Customers are advised to secure access to the PAN-OS User-ID Authentication Portal by restricting access to trusted zones, or by disabling it entirely if it's not used. As additional mitigation, the company is recommending that organizations disable Response Pages in the Interface Management Profile for any L3 interface where untrusted or internet traffic can ingress."
CVE-2026-0300 is a critical buffer overflow vulnerability (CVSS 9.3/8.7) in Palo Alto Networks PAN-OS User-ID Authentication Portal that enables unauthenticated attackers to execute arbitrary code with root privileges through specially crafted packets. Threat actors attempted exploitation as early as April 9, 2026, with successful remote code execution achieved approximately one week later. The attackers injected shellcode into nginx worker processes and attempted to cover their tracks by clearing crash kernel messages and deleting nginx crash entries. Fixes are scheduled for May 13, 2026. Mitigation strategies include restricting portal access to trusted zones, disabling the service if unused, disabling Response Pages in Interface Management Profiles, and enabling Threat ID 510019 for Advanced Threat Prevention customers. The activity is attributed to suspected state-sponsored threat cluster CL-STA-1132.
#cve-2026-0300 #remote-code-execution #pan-os-security #state-sponsored-threat #vulnerability-mitigation
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]