Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking

Summary

Palo Alto Networks disclosed CVE-2026-0300, a critical zero-day vulnerability in its PA and VM series firewalls that allows unauthenticated remote code execution with root privileges. The flaw was exploited in the wild by a likely state-sponsored threat group tracked as CL-STA-1132, with first attempts observed on April 9 and successful exploitation occurring a week later. The attackers deployed open-source tools Earthworm and ReverseSocks5, conducted log cleanup, and performed Active Directory enumeration—tactics consistent with Chinese APT operations such as Volt Typhoon and APT41.

Full text

Palo Alto Networks has shared some information on the exploitation of the recently disclosed zero-day vulnerability affecting some of its firewalls. The cybersecurity firm has not directly attributed the attack to a specific threat actor or country, but the evidence seems to point to China. In an advisory published on May 6, Palo Alto Networks informed customers about CVE-2026-0300, a vulnerability affecting the User-ID Authentication Portal of PA and VM series firewalls. The company said the flaw, which allows unauthenticated remote code execution with root privileges, had been exploited as a zero-day. Patches are expected to be released on May 13 and May 28, and in the meantime the company has shared mitigations and workarounds to prevent exploitation. Shortly after CVE-2026-0300 was disclosed, Palo Alto Networks published a blog post describing the vulnerability’s exploitation in the wild. According to the company, a “likely state-sponsored” threat group tracked as CL-STA-1132 was behind the attack. First exploitation attempts were observed on April 9, but were unsuccessful. The vulnerability was successfully leveraged one week later for remote code execution and Nginx worker process shellcode injection.Advertisement. Scroll to continue reading. “Following the compromise, the attackers immediately conducted log cleanup to mitigate detection by clearing crash kernel messages, deleting nginx crash entries and nginx crash records, as well as removing crash core dump files,” Palo Alto explained. “The attackers deployed a number of tools with root privileges four days later, before conducting Active Directory (AD) enumeration using the firewall’s service account credentials to target domain root and DomainDnsZones. Following enumeration, the attackers deleted ptrace injection evidence from the audit log and deleted the SetUserID (SUID) privilege escalation binary,” it added. The attackers deployed the open source Earthworm and ReverseSocks5 tools. The former is a network tunneling tool that enables attackers to establish a covert communications channel, while the latter allows them to bypass firewalls and NAT. The cybersecurity firm has stopped short of attributing the attacks to a specific country, but the evidence it has presented points to China as the main suspect. Earthworm and ReverseSocks5 have predominantly been used by Chinese APT groups, including Volt Typhoon and APT41. Log destruction has also often been observed during attacks attributed to Chinese threat actors. Active Directory targeting is also a hallmark of Chinese groups, though other nation-state hackers and cybercriminals use this technique as well. “The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration,” Palo Alto noted. “This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems.” Related: Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months Related: Microsoft Patches Exploited SharePoint Zero-Day and 160 Other Vulnerabilities Related: Adobe Patches Reader Zero-Day Exploited for Months Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Claude AI Guided Hackers Toward OT Assets During Water Utility IntrusionRomanian Man Extradited to US for Role in Hacking Scheme 17 Years AgoCISA Launches ‘CI Fortify’ to Prepare Critical Infrastructure for Geopolitical Cyber ConflictPalo Alto Networks to Patch Zero-Day Exploited to Hack FirewallsMicrosoft Warns of Sophisticated Phishing Campaign Targeting US OrganizationsCritical Remote Code Execution Vulnerability Patched in AndroidWhatsApp Discloses File Spoofing, Arbitrary URL Scheme VulnerabilitiesTrellix Source Code Repository Breached Latest News Boost Security Raises $4 Million for SDLC Defense PlatformClaude Code OAuth Tokens Can Be Stolen Through Stealthy MCP HijackingChrome 148 Rolls Out With 127 Security FixesAttackers Could Exploit AI Vision Models Using Imperceptible Image ChangesVendor Says Daemon Tools Supply Chain Attack ContainedAI Coding Agents Could Fuel Next Supply Chain CrisisWebinar Today: Securing Identity Across Humans, Machines and AICisco Patches High-Severity Vulnerabilities in Enterprise Products Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: ROSI for CPS Security Programs May 13, 2026 In cyber-physical systems (CPS), just one hour of downtime can outweigh an entire annual security budget. Learn how to master the Return on Security Investment (ROSI) to align security goals with the bottom-line priorities. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveSumo Logic has named Jeremy Powell as CISO and Ben Cody as SVP of Product Management.Bitdefender has appointed Frank Koelmel as Chief Revenue Officer of Business Solutions Group.John Hernandez has joined BlueVoyant as Chief Executive Officer.More People On The MoveExpert Insights The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-0300
• malware — Earthworm
• malware — ReverseSocks5

Entities