State-sponsored threat actors exploited a critical vulnerability in Palo Alto Networks’ PAN-OS for approximately one month before the flaw was publicly disclosed, according to researchers and government advisories. CVE-2026-0300, carrying a CVSS score of 9.3, allowed unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets to the User-ID Authentication Portal.
CVE-2026-0300: Unauthenticated Root RCE in PAN-OS Firewalls
The vulnerability is classified as an out-of-bounds write buffer overflow. An attacker with network access to the affected portal could send malformed packets that overwrite adjacent memory, ultimately achieving code execution at the highest privilege level — root — without any authentication required. The affected devices include PA-Series hardware firewalls and VM-Series virtual firewall deployments, both of which are widely deployed in enterprise and government network perimeters.
The CVSS 9.3 rating reflects the severity of this flaw. Unauthenticated remote code execution on a network security device represents a near-worst-case scenario: the very appliance intended to enforce a security boundary becomes the entry point for attacker-controlled code running at root.
One Month of Silent Exploitation Before Public Disclosure
Researchers determined that state-sponsored actors began exploiting CVE-2026-0300 approximately one month before the vulnerability was disclosed to the public. This pre-disclosure exploitation window — sometimes called a zero-day period in cases where the vendor was unaware — gave attackers significant time to penetrate targets before defenders could apply mitigations.
During the exploitation period, post-compromise activity documented by researchers included the deployment of tunneling tools, specifically EarthWorm and ReverseSocks5. These tools enable attackers to establish covert communication channels from compromised devices back to attacker-controlled infrastructure, allowing persistent access even if firewall rules or network monitoring would otherwise block direct outbound connections.
Post-Exploitation Tradecraft: Active Directory Enumeration and Log Deletion
Following initial access via the PAN-OS flaw, the threat actors conducted systematic Active Directory enumeration — a standard technique for mapping enterprise identity infrastructure in preparation for lateral movement. Understanding AD structure allows attackers to identify privileged accounts, service accounts, and high-value targets within a victim organization’s network.
Critically, the attackers also deleted logs on compromised devices to remove forensic evidence of their presence. This log-wiping behavior complicates incident response and may leave some organizations uncertain about the full scope of what was accessed or exfiltrated during the exploitation window.
CISA Adds CVE-2026-0300 to KEV Catalog With May 9 Federal Deadline
The Cybersecurity and Infrastructure Security Agency added CVE-2026-0300 to its Known Exploited Vulnerabilities catalog on May 6, 2026. Federal civilian executive branch agencies operating under BOD 22-01 face a remediation deadline of May 9, 2026 — today — to either apply available mitigations or remove affected devices from network exposure.
Palo Alto Networks was expected to release patches for CVE-2026-0300 on May 13, 2026. The gap between the CISA remediation deadline and the patch availability date means federal agencies must implement interim mitigations in the days before a full software fix is available.
Interim Mitigations for PAN-OS Operators Ahead of May 13 Patch
In the period before patches are available, organizations running PA-Series or VM-Series firewalls should assess whether the User-ID Authentication Portal is exposed to untrusted networks and, where possible, restrict access to that portal to specific administrative source IP ranges. Disabling portal exposure to the internet entirely — if operationally feasible — would remove the primary attack surface.
Why State Actors Prioritized CVE-2026-0300 Over Opportunistic Scanning
This incident follows an established pattern of sophisticated threat actors prioritizing network perimeter devices — firewalls, VPN concentrators, and load balancers — as entry points. These devices have broad network access by design, are frequently not monitored with the same rigor as endpoint systems, and in some cases cannot run traditional endpoint detection tools.
The sustained one-month exploitation window prior to this disclosure suggests the threat actors were operating with discipline, conducting targeted operations rather than broad opportunistic scanning, which would have increased the likelihood of earlier detection. The combination of tunneling tools, AD enumeration, and log deletion indicates a mature intrusion team with specific intelligence-collection objectives.
Organizations that deployed PA-Series or VM-Series firewalls with the User-ID Authentication Portal exposed should treat this as a potential indicator of compromise scenario and review available logs and telemetry for the indicators of compromise associated with EarthWorm and ReverseSocks5.
