INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
ATTENTION: This report is based on previous data. New intelligence sources have been linked and the Executive Summary and Mitigations need to be re-synthesized.
Palo Alto PAN-OS Zero-Day Exploited Nation-state Actors
| 2026-05-07 00:00 CRITICAL HIGHExecutive Summary AI-generated
The threat actor behind the exploitation of Palo Alto PAN-OS zero-day vulnerability CVE-2026-0300 is suspected to be a nation-state. The attack, which has been ongoing for nearly a month, utilizes EarthWorm tunneling tool and Active Directory enumeration techniques to gain unauthorized access to exposed firewalls and destroy logs. This indicates that the threat actor prioritized identity trust abuse over traditional network-layer pivoting, effectively reducing their footprint.
Technical Mitigations AI-generated
* Limit access to trusted internal networks: Palo Alto Networks notes that risk is greatly reduced if organizations follow best practices, such as restricting sensitive portals to trusted internal networks only.
* Secure access to User-ID Authentication Portal: Restricting access to the User-ID Authentication Portal per best practice guidelines can help reduce the risk of exploitation by limiting exposure to public internet and untrusted IP addresses.
* Keep PAN-OS software up-to-date: Palo Alto Networks advises that fixes for the vulnerability are expected from May 13, 2026. Keeping PAN-OS software up-to-date with the latest patches is essential in preventing exploitation until a fix is available.
* Monitor firewall logs and activity: Organizations should monitor their firewall logs and activity to detect any suspicious behavior or attempts to exploit the vulnerability.
* Implement intrusion detection and prevention systems (IDPS): IDPS can help detect and prevent attacks by identifying potential vulnerabilities and blocking malicious traffic before it reaches the network.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
APT41APT41Volt TyphoonVolt Typhoon
CVE-2026-0300CVE-2026-0300
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
MIDDLE_EAST
MIDDLE_EAST
EUROPE
EUROPE
Incident Timeline
2026/05/07
Palo Alto Networks exploited CVE-2026-0300 in the wild.
Click on any entity below to view its context and source!
organisation
EarthWorm
“Post-exploitation activity includes deployment of publicly available tunneling tools (EarthWorm, ReverseSocks5), Active Directory enumeration using credentials likely obtained from the firewall, and the systematic destruction of logs and other evidence of compromise.”
EarthWorm has been used in past attacks associated with several China-linked threat actors, including ,
APT41
,
CL-STA-0046
, and
Volt Typhoon
.
threat_actor
APT41
“Post-exploitation activity includes deployment of publicly available tunneling tools (EarthWorm, ReverseSocks5), Active Directory enumeration using credentials likely obtained from the firewall, and the systematic destruction of logs and other evidence of compromise.”
EarthWorm has been used in past attacks associated with several China-linked threat actors, including ,
APT41
,
CL-STA-0046
, and
Volt Typhoon
.
The tool has previously been linked to threat groups including Volt Typhoon and APT41.
ReverseSocks5 is another open-source networking tool designed to bypass firewalls and NAT protections by creating outbound connections from compromised systems to attacker-controlled servers.
threat_actor
Volt Typhoon
“Post-exploitation activity includes deployment of publicly available tunneling tools (EarthWorm, ReverseSocks5), Active Directory enumeration using credentials likely obtained from the firewall, and the systematic destruction of logs and other evidence of compromise.”
EarthWorm has been used in past attacks associated with several China-linked threat actors, including ,
APT41
,
CL-STA-0046
, and
Volt Typhoon
.
The tool has previously been linked to threat groups including Volt Typhoon and APT41.
ReverseSocks5 is another open-source networking tool designed to bypass firewalls and NAT protections by creating outbound connections from compromised systems to attacker-controlled servers.
organisation
NAT
The tool has previously been linked to threat groups including Volt Typhoon and APT41.
ReverseSocks5 is another open-source networking tool designed to bypass firewalls and NAT protections by creating outbound connections from compromised systems to attacker-controlled servers.
organisation
PAN
Nation-state actors exploit Palo Alto PAN-OS zero-day for weeks
Palo Alto says hackers exploited PAN-OS zero-day CVE-2026-0300 for weeks, gaining root access to exposed firewalls and hiding traces.
“A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.” reads the
advisory
published by Palo Alto Networks.
Shadowserver scans found more than
5,800 publicly exposed VM-Series firewalls
running PAN-OS as of Tuesday, yet it’s unknown how many of those instances have restricted authentication access to trusted internal IP addresses or disabled the feature altogether.
organisation
PAN-OS
The critical memory corruption vulnerability —
CVE-2026-0300
— affects the authentication portal of PAN-OS, and allows unauthenticated attackers to run code with root privileges on the vendor’s PA-Series and VM-Series firewalls, the company said.
Consequently, this campaign demonstrates that operational restraint—specifically the use of non-persistent access windows—is a primary factor in maintaining long-term residency on edge infrastructure.”
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, PAN-OS)
organisation
User-ID
“A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.” reads the
advisory
published by Palo Alto Networks.
organisation
Palo Alto Networks
“A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.” reads the
advisory
published by Palo Alto Networks.
Palo Alto Networks did not say when or how it became aware of active exploitation, nor when the earliest known exploitation occurred.
organisation
Shadowserver
Shadowserver scans found more than
5,800 publicly exposed VM-Series firewalls
running PAN-OS as of Tuesday, yet it’s unknown how many of those instances have restricted authentication access to trusted internal IP addresses or disabled the feature altogether.
infrastructure
12.1
Below is the list of impacted products:
Versions
Affected
Unaffected
Cloud NGFW
None
All
PAN-OS 12.1
< 12.1.4-h5
< 12.1.7
>= 12.1.4-h5 (ETA: 05/13)
>= 12.1.7
infrastructure
12.1.4-h5
Below is the list of impacted products:
Versions
Affected
Unaffected
Cloud NGFW
None
All
PAN-OS 12.1
< 12.1.4-h5
< 12.1.7
>= 12.1.4-h5 (ETA: 05/13)
>= 12.1.7
infrastructure
12.1.7
Below is the list of impacted products:
Versions
Affected
Unaffected
Cloud NGFW
None
All
PAN-OS 12.1
< 12.1.4-h5
< 12.1.7
>= 12.1.4-h5 (ETA: 05/13)
>= 12.1.7
organisation
ETA
Below is the list of impacted products:
Versions
Affected
Unaffected
Cloud NGFW
None
All
PAN-OS 12.1
< 12.1.4-h5
< 12.1.7
>= 12.1.4-h5 (ETA: 05/13)
>= 12.1.7
infrastructure
Windows
EarthWorm is an open-source tunneling tool written in C that works across Windows, Linux, macOS, and ARM/MIPS platforms.
Consequently, this campaign demonstrates that operational restraint—specifically the use of non-persistent access windows—is a primary factor in maintaining long-term residency on edge infrastructure.”
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, PAN-OS)
infrastructure
Linux
EarthWorm is an open-source tunneling tool written in C that works across Windows, Linux, macOS, and ARM/MIPS platforms.
infrastructure
Macos
EarthWorm is an open-source tunneling tool written in C that works across Windows, Linux, macOS, and ARM/MIPS platforms.
organisation
SecurityAffairs
Consequently, this campaign demonstrates that operational restraint—specifically the use of non-persistent access windows—is a primary factor in maintaining long-term residency on edge infrastructure.”
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, PAN-OS)
organisation
IP
“The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the
best practice guidelines
by restricting access to only trusted internal IP addresses.”
“This vulnerability is specific to a limited number of customers with their User-ID Authentication Portal (Captive Portal) exposed to the public internet or untrusted IP addresses.
organisation
User-ID Authentication Portal (Captive Portal
“This vulnerability is specific to a limited number of customers with their User-ID Authentication Portal (Captive Portal) exposed to the public internet or untrusted IP addresses.
organisation
Prisma Access
None
>= 11.1.7-h6 (ETA: 05/28)
>= 11.1.10-h25 (ETA: 05/13)
>= 11.1.13-h5 (ETA: 05/13)
>= 11.1.15 (ETA: 05/28)
PAN-OS 10.2
< 10.2.7-h34
< 10.2.10-h36
< 10.2.13-h21
< 10.2.16-h7
< 10.2.18-h6
>= 10.2.7-h34 (ETA: 05/28)
>= 10.2.10-h36 (ETA: 05/13)
>= 10.2.13-h21 (ETA: 05/28)
>= 10.2.16-h7 (ETA: 05/28)
>= 10.2.18-h6 (ETA: 05/13)
Prisma Access
None
All
The cybersecurity vendor states that the issue doesn’t impact Prisma Access, Cloud NGFW and Panorama appliances.
organisation
Prisma Access
>= 11.1.7-h6 (ETA: 05/28)
>= 11.1.10-h25 (ETA: 05/13)
>= 11.1.13-h5 (ETA: 05/13)
>= 11.1.15 (ETA: 05/28)
PAN-OS 10.2
< 10.2.7-h34
< 10.2.10-h36
< 10.2.13-h21
< 10.2.16-h7
< 10.2.18-h6
>= 10.2.7-h34 (ETA: 05/28)
>= 10.2.10-h36 (ETA: 05/13)
>= 10.2.13-h21 (ETA: 05/28)
>= 10.2.16-h7 (ETA: 05/28)
>= 10.2.18-h6 (ETA: 05/13)
Prisma Access
None
All
The cybersecurity vendor states that the issue doesn’t impact Prisma Access, Cloud NGFW and Panorama appliances.
organisation
Panorama
>= 11.1.7-h6 (ETA: 05/28)
>= 11.1.10-h25 (ETA: 05/13)
>= 11.1.13-h5 (ETA: 05/13)
>= 11.1.15 (ETA: 05/28)
PAN-OS 10.2
< 10.2.7-h34
< 10.2.10-h36
< 10.2.13-h21
< 10.2.16-h7
< 10.2.18-h6
>= 10.2.7-h34 (ETA: 05/28)
>= 10.2.10-h36 (ETA: 05/13)
>= 10.2.13-h21 (ETA: 05/28)
>= 10.2.16-h7 (ETA: 05/28)
>= 10.2.18-h6 (ETA: 05/13)
Prisma Access
None
All
The cybersecurity vendor states that the issue doesn’t impact Prisma Access, Cloud NGFW and Panorama appliances.
This issue does not impact Cloud NGFW or Panorama appliances.
organisation
the User-ID Authentication Portal
Palo Alto Networks says the flaw is being exploited in a limited way, mainly against systems where the User-ID Authentication Portal is exposed to the public internet.
organisation
RDP
Its features include forward and reverse SOCKS5 tunnels, port bridging, traffic forwarding, and multi-hop tunneling for protocols such as RDP and SSH.
organisation
SSH
Its features include forward and reverse SOCKS5 tunnels, port bridging, traffic forwarding, and multi-hop tunneling for protocols such as RDP and SSH.
organisation
CL-STA-1132
“The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration.
May 9, 2026
Threat actors exploited a zero-day vulnerability in Palo Alto PAN-OS.
May 13, 2026
Threat actors exploited a zero-day vulnerability in Palo Alto PAN-OS.
May 13
Palo Alto Networks released software fixes for a zero-day exploit in PAN-OS on May 13.
Click on any entity below to view its context and source!
organisation
CyberScoop
We have observed limited exploitation of this issue and are working to release software fixes, with the first updates expected to be available on May 13,” a Palo Alto Networks spokesperson told CyberScoop.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
EarthWorm
Earthworm is an
open-source
network tunneling tool written in C that operates on Windows, Linux, macOS and ARM/MIPS-based platforms.
Consequently, this campaign demonstrates that operational restraint—specifically the use of non-persistent access windows—is a primary factor in maintaining long-term residency on edge infrastructure.
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
EarthWorm is an open-source tunneling tool written in C that works across Windows, Linux, macOS, and ARM/MIPS platforms.
Consequently, this campaign demonstrates that operational restraint—specifically the use of non-persistent access windows—is a primary factor in maintaining long-term residency on edge infrastructure.”
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, PAN-OS)
Metrics
infrastructure
Linux
Affected Product
EarthWorm
Earthworm is an
open-source
network tunneling tool written in C that operates on Windows, Linux, macOS and ARM/MIPS-based platforms.
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
EarthWorm is an open-source tunneling tool written in C that works across Windows, Linux, macOS, and ARM/MIPS platforms.
Metrics
infrastructure
Macos
Affected Product
EarthWorm
Earthworm is an
open-source
network tunneling tool written in C that operates on Windows, Linux, macOS and ARM/MIPS-based platforms.
EarthWorm is an open-source tunneling tool written in C that works across Windows, Linux, macOS, and ARM/MIPS platforms.
Metrics
infrastructure
11.1
Software Version
Decoder capabilities necessitate PAN-OS 11.1 or a later version for Threat ID support.
Metrics
infrastructure
82.080.467
Software Version
+82.080.467.8774
Advanced WildFire
The
Advanced WildFire
machine-learning models and analysis techniques have been reviewed and updated in light of indicators associated with this activity.
Metrics
infrastructure
67.206.213
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
136.0.8
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
146.70.100
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
149.104.66
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
2.0
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
2.0-linux
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
532.31
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
5.5
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
10.0
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
537.36
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0 (Attacker User Agent String)
/var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate (Tunneling Tools)
/tmp/.c
Metrics
infrastructure
138.0.0
Software Version
Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0 (Attacker User Agent String)
/var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate (Tunneling Tools)
/tmp/.c
Metrics
infrastructure
12.1
Software Version
Below is the list of impacted products:
Versions
Affected
Unaffected
Cloud NGFW
None
All
PAN-OS 12.1
< 12.1.4-h5
< 12.1.7
>= 12.1.4-h5 (ETA: 05/13)
>= 12.1.7
Metrics
infrastructure
12.1.4-h5
Software Version
Below is the list of impacted products:
Versions
Affected
Unaffected
Cloud NGFW
None
All
PAN-OS 12.1
< 12.1.4-h5
< 12.1.7
>= 12.1.4-h5 (ETA: 05/13)
>= 12.1.7
Metrics
infrastructure
12.1.7
Software Version
Below is the list of impacted products:
Versions
Affected
Unaffected
Cloud NGFW
None
All
PAN-OS 12.1
< 12.1.4-h5
< 12.1.7
>= 12.1.4-h5 (ETA: 05/13)
>= 12.1.7
Intelligence Sources
Security Affairs
2026-05-07
CyberScoop
2026-05-06
Security Affairs
2026-05-07
Nation-state actors exploit Palo Alto PAN-OS zero-day for weeks
Security Affairs
Palo Alto
2026-05-07
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-15T05:46
Comprehensive Tactical Telemetry
Highly Correlated Entities
49x
organisation
Identified Entity
IoT
entity
16x
infrastructure
Software Version
11.1
version
10x
attribution
Attributing Entity
Cortex AgentiX
authority
9x
timeline
Temporal Reference
May 6, 2026
date
6x
target region
Target Country
United Kingdom
country
5x
tactic
Cyber Operation Type
Privilege Escalation
tactic
4x
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
3x
target region
Target Region
MIDDLE_EAST
region
3x
infrastructure
Affected Product
Windows
software
2x
general metric
+1
866
+1
2x
threat actor
APT Group
Volt Typhoon
actor
Contextual Telemetry
Context Block
10 METRICS
general metric
Incident
42
incident
general metric
+65.6983.8730
50
+65.6983.8730
vulnerability
Exploited CVE
CVE-2026-0300
cve
general metric
Cve-2026
300
cve-2026
general metric
Pan Os
11
pan os
general metric
Step
6
step
general metric
Threat Id
510,019
threat id
source region
Origin Country
China
country
vulnerability
CVSS Score
9
score
general metric
Exposed Series Firewalls
5,800
exposed series firewalls
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.