CVE-2026-0300: Active Exploitation of PAN-OS User-ID Authentication Portal

CVE-2026-0300 is a critical unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal, carrying a CVSSv4 score of 9.3. This vulnerability allows a remote attacker to achieve root-level arbitrary code execution on PA-Series and VM-Series firewalls without user interaction or existing credentials. While Prisma Access and Panorama remain unaffected, CISA added this to its Known Exploited Vulnerabilities catalog on May 7, 2026, following reports of active exploitation. Official hotfixes for affected trains in PAN-OS 12.1, 11.2, 11.1, and 10.2 are scheduled to roll out between May 13 and May 28, 2026.

Unit 42 attributes the activity to a likely state-sponsored cluster designated CL-STA-1132, which began successful RCE via shellcode injection as early as mid-April 2026. The attackers demonstrated high operational security by aggressively clearing crash kernel messages, nginx logs, and core dumps to eliminate high-fidelity tripwires. Post-compromise, the operator leveraged the firewall's elevated privileges to conduct Active Directory enumeration and deployed open-source tunneling tools like EarthWorm and ReverseSocks5. In one sophisticated instance, the actor forced a high-availability failover via a SAML flood to maintain access by re-exploiting the newly active secondary firewall.

Mitigation efforts should prioritize restricting the Authentication Portal to trusted internal zones or disabling the service entirely if it is not required. Organizations with Advanced Threat Prevention should immediately enable Threat ID 510019 to block known exploitation patterns. Detection strategies must focus on identifying the specific EarthWorm SHA256 hash, monitoring for authd-sslmgr crashes, and blocking communication with known attacker IPs, including 67.206.213.86 and 146.70.100.69. With nearly 5,800 VM-Series instances currently exposed to the internet, rapid remediation is essential to prevent lateral movement and identity-trust abuse.