⚠️ Region Alert: UAE/Middle East
Palo Alto Networks has identified a critical buffer overflow vulnerability, CVE-2026-0300, in the User-ID Authentication Portal service of PAN-OS. This flaw allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. Unit 42 is tracking specific state-sponsored activity (CL-STA-1132) that exploits this zero-day to inject shellcode into nginx worker processes and deploy tunneling tools like EarthWorm and ReverseSocks5.
Post-exploitation activities involve Active Directory enumeration and systematic destruction of logs to evade detection. Attackers have also been observed using SAML flooding to force failovers and compromise secondary devices. Organizations are advised to restrict access to the Authentication Portal, disable unnecessary response pages, and update to PAN-OS 11.1 with Threat ID 510019 enabled to mitigate the risk of remote code execution.