INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
PAN-OS Zero-Day Exploited for Unauthenticated Remote Code Execution
| 2026-05-07 10:57 CRITICAL HIGHExecutive Summary AI-generated
The recent discovery of a critical-severity vulnerability in PAN-OS software has exposed thousands of internet-connected firewalls, including those from Palo Alto Networks. The CVE-2026-0300 zero-day attack allows unauthenticated remote code execution (RCE) on these devices, which are often targeted by state-sponsored threat groups due to their lack of logging and security software. As a result, the attackers have been successfully exploiting this vulnerability for nearly a month, with unsuccessful attempts reported starting from April 9, 2026. The EarthWorm tool has also been used in previous attacks linked to Chinese-speaking threat groups, highlighting the potential for widespread exploitation.
Technical Mitigations AI-generated
* Restrict access to trusted zones: Customers should restrict access to the PAN-OS User-ID Authentication Portal by only allowing trusted zones, or disable it if that's not possible. This can be done from the User-ID Authentication Portal Settings page under Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal.
* Disable remote code execution (RCE): Admins should check their firewalls for vulnerable services and disable them until security updates are available, which is expected to roll out next Wednesday, May 13. This will mitigate the risk of unauthenticated RCE attacks.
* Use secure protocols: Customers can use secure communication protocols such as HTTPS or SFTP instead of HTTP to encrypt data transmitted over the network.
* Keep firewalls up-to-date: Palo Alto Networks recommends that customers keep their firewalls and other security software up-to-date with the latest patches, which are expected to be released soon. This will help prevent exploitation of known vulnerabilities like CVE-2026-0300.
* Implement logging and monitoring: Customers should implement logging and monitoring mechanisms to detect potential threats and respond quickly in case of an attack.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Volt TyphoonVolt TyphoonAPT41APT41
CVE-2026-0300CVE-2026-0300
Target & Sectors
EUROPE
EUROPE
MIDDLE_EAST
MIDDLE_EAST
NORTH_AMERICA
NORTH_AMERICA
Incident Timeline
April 9, 2026
Threat actors exploited a Palo Alto Networks firewall zero-day vulnerability for nearly a month.
Click on any entity below to view its context and source!
organisation
RCE
A week later, the attackers successfully achieved RCE against the device and injected shellcode.
organisation
EarthWorm
The EarthWorm tool allows threat actors to set up covert communication across restricted networks, while ReverseSocks5 enables them to bypass NAT and firewalls by creating an outbound connection from a target machine to a controller.
organisation
NAT
The EarthWorm tool allows threat actors to set up covert communication across restricted networks, while ReverseSocks5 enables them to bypass NAT and firewalls by creating an outbound connection from a target machine to a controller.
threat_actor
Volt Typhoon
EarthWorm has previously been used in attacks linked to the
CL-STA-0046
,
Volt Typhoon
,
UAT-8337
, and
APT41
Chinese-speaking threat groups.
threat_actor
APT41
EarthWorm has previously been used in attacks linked to the
CL-STA-0046
,
Volt Typhoon
,
UAT-8337
, and
APT41
Chinese-speaking threat groups.
organisation
User-ID Authentication Portal Settings
Admins can quickly check whether their firewalls are configured to use the vulnerable service from the
User-ID Authentication Portal Settings page,
found under Device > User Identification >
April 29, 2026
Threat actors used a zero-day exploit in the Palo Alto Networks firewall to target and compromise the device on April 29, 2026.
May 6, 2026
Palo Alto Networks released a security advisory on May 6, 2026, to address CVE-2026-0300.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-0300
Executive Summary
On May 6, 2026, Palo Alto Networks released a
security advisory for CVE-2026-0300
, identifying a buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software.
tactic
Buffer Overflow
Executive Summary
On May 6, 2026, Palo Alto Networks released a
security advisory for CVE-2026-0300
, identifying a buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software.
organisation
Palo Alto Networks
Executive Summary
On May 6, 2026, Palo Alto Networks released a
security advisory for CVE-2026-0300
, identifying a buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software.
organisation
User-ID
Executive Summary
On May 6, 2026, Palo Alto Networks released a
security advisory for CVE-2026-0300
, identifying a buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software.
2026/05/06
Palo Alto Networks' VM-series firewalls were exploited for nearly a month.
Click on any entity below to view its context and source!
organisation
Palo Alto Networks VM-series
Palo Alto Networks VM-series firewalls exposed online (Shadowserver)
Palo Alto Networks
told BleepingComputer yesterday
that the flaw doesn't impact Cloud NGFW or Panorama appliances and that it's still working on releasing patches, with the first ones expected to roll out next Wednesday, May 13.
organisation
BleepingComputer
Palo Alto Networks VM-series firewalls exposed online (Shadowserver)
Palo Alto Networks
told BleepingComputer yesterday
that the flaw doesn't impact Cloud NGFW or Panorama appliances and that it's still working on releasing patches, with the first ones expected to roll out next Wednesday, May 13.
organisation
Panorama
Palo Alto Networks VM-series firewalls exposed online (Shadowserver)
Palo Alto Networks
told BleepingComputer yesterday
that the flaw doesn't impact Cloud NGFW or Panorama appliances and that it's still working on releasing patches, with the first ones expected to roll out next Wednesday, May 13.
2026/05/07
Palo Alto Networks customers received protections from and mitigations in the User-ID Authentication Portal, which was exploited by Earthworm to achieve unauthenticated remote code execution (RCE) in PAN-OS software.
Click on any entity below to view its context and source!
organisation
PAN
Tracked as
CVE-2026-0300
, this remote code execution security flaw was found in the PAN-OS User-ID Authentication Portal (also known as the Captive Portal) and stems from a buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls.
Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution.
organisation
User-ID Authentication Portal
Tracked as
CVE-2026-0300
, this remote code execution security flaw was found in the PAN-OS User-ID Authentication Portal (also known as the Captive Portal) and stems from a buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls.
Adhering to best practice guidelines by restricting User-ID Authentication Portal access exclusively to trusted internal IP addresses and ensuring the portal is not publicly reachable will greatly mitigate this risk.
organisation
Palo Alto Networks
Cortex Xpanse
Palo Alto Networks
Cortex Xpanse
can identify exposed instances of the User-ID Authentication Portal potentially vulnerable to CVE-2026-0300.
organisation
the User-ID Authentication Portal
Palo Alto Networks
Cortex Xpanse
can identify exposed instances of the User-ID Authentication Portal potentially vulnerable to CVE-2026-0300.
organisation
Current Scope of the Attack Using CVE-2026-0300
Current Scope of the Attack Using CVE-2026-0300
We are aware of only limited exploitation of CVE-2026-0300 at this time.
organisation
IP
Adhering to best practice guidelines by restricting User-ID Authentication Portal access exclusively to trusted internal IP addresses and ensuring the portal is not publicly reachable will greatly mitigate this risk.
organisation
Panorama
While Prisma Access, Cloud NGFW and Panorama appliances remain unaffected by this vulnerability, the risk of unauthenticated RCE exploitation is significantly elevated when the User-ID Authentication Portal is exposed to the public internet or untrusted networks.
organisation
Prisma Access
While Prisma Access, Cloud NGFW and Panorama appliances remain unaffected by this vulnerability, the risk of unauthenticated RCE exploitation is significantly elevated when the User-ID Authentication Portal is exposed to the public internet or untrusted networks.
organisation
EarthWorm
RCE was then achieved on the second device, where EarthWorm and ReverseSocks5 were downloaded.
organisation
NAT
ReverseSocks5
ReverseSocks5 is an open-source networking tool used to bypass firewalls or NAT by establishing an outbound connection from a target machine to a controller, rather than the other way around.
threat_actor
Volt Typhoon
EarthWorm has reportedly been used by the threat actor behind
CL-STA-0046
,
Volt Typhoon
,
UAT-8337
and
APT41
.
threat_actor
APT41
EarthWorm has reportedly been used by the threat actor behind
CL-STA-0046
,
Volt Typhoon
,
UAT-8337
and
APT41
.
organisation
IoT
Conclusion
Over the last five years, nation-state threat actors engaged in cyber espionage have increasingly focused their efforts on
edge-network
technological assets, including
firewalls
,
routers
,
IoT devices
,
hypervisors
and various
VPN solutions
, which provide high-privilege access while often lacking the robust logging and security agents found on standard endpoints.
infrastructure
Windows
EarthWorm
Earthworm is an
open-source
network tunneling tool written in C that operates on Windows, Linux, macOS and ARM/MIPS-based platforms.
Consequently, this campaign demonstrates that operational restraint—specifically the use of non-persistent access windows—is a primary factor in maintaining long-term residency on edge infrastructure.
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
infrastructure
Linux
EarthWorm
Earthworm is an
open-source
network tunneling tool written in C that operates on Windows, Linux, macOS and ARM/MIPS-based platforms.
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
infrastructure
Macos
EarthWorm
Earthworm is an
open-source
network tunneling tool written in C that operates on Windows, Linux, macOS and ARM/MIPS-based platforms.
infrastructure
67.206.213
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
infrastructure
136.0.8
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
infrastructure
146.70.100
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
infrastructure
149.104.66
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
infrastructure
2.0
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
infrastructure
2.0-linux
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
infrastructure
532.31
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
infrastructure
5.5
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
infrastructure
10.0
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
infrastructure
537.36
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0 (Attacker User Agent String)
/var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate (Tunneling Tools)
/tmp/.c
organisation
hxxps[:]//github[.]com/Acebond
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
organisation
Mozilla/5.5 (Windows NT 10.0
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
organisation
Win64
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
organisation
KHTML
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
organisation
Bridges
Bridges data between two separate listening ports to facilitate pivot management (T1090).
organisation
Encapsulates
Encapsulates traffic for protocols like RDP and SSH within SOCKS tunnels (T1572).
organisation
RDP
Encapsulates traffic for protocols like RDP and SSH within SOCKS tunnels (T1572).
organisation
SSH
Encapsulates traffic for protocols like RDP and SSH within SOCKS tunnels (T1572).
infrastructure
11.1
Decoder capabilities necessitate PAN-OS 11.1 or a later version for Threat ID support.
infrastructure
82.080.467
+82.080.467.8774
Advanced WildFire
The
Advanced WildFire
machine-learning models and analysis techniques have been reviewed and updated in light of indicators associated with this activity.
infrastructure
138.0.0
Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0 (Attacker User Agent String)
/var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate (Tunneling Tools)
/tmp/.c
organisation
Attacker User
Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0 (Attacker User Agent String)
/var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate (Tunneling Tools)
/tmp/.c
organisation
/tmp/.c
Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0 (Attacker User Agent String)
/var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate (Tunneling Tools)
/tmp/.c
organisation
Restrict User-ID Authentication Portal
Restrict User-ID Authentication Portal access to only trusted zones and in addition, disable Response Pages in the Interface Management Profile attached to every L3 interface in any zone where untrusted/internet traffic can ingress.
organisation
Response Pages
Restrict User-ID Authentication Portal access to only trusted zones and in addition, disable Response Pages in the Interface Management Profile attached to every L3 interface in any zone where untrusted/internet traffic can ingress.
organisation
the Interface Management Profile
Restrict User-ID Authentication Portal access to only trusted zones and in addition, disable Response Pages in the Interface Management Profile attached to every L3 interface in any zone where untrusted/internet traffic can ingress.
organisation
Keep Response Pages
Keep Response Pages enabled only on interfaces in trust/internal zones where legitimate users' browsers ingress.
organisation
Live Community
Refer to Step 6 of the linked
Live Community article
and
Knowledgebase article
for steps to restrict access.
organisation
Disable User-ID Authentication Portal
Disable User-ID Authentication Portal if not required.
organisation
Threat ID 510019
Customers with an Advanced Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510019 from Applications and Threats content version 9097-10022.
organisation
Applications
Customers with an Advanced Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510019 from Applications and Threats content version 9097-10022.
organisation
CL-STA-1132
The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration.
organisation
Cyber Threat Alliance
Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members.
organisation
CTA
Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members.
organisation
Cloud-Delivered Security Services
Cloud-Delivered Security Services for the Next-Generation Firewall
Advanced URL Filtering
and
Advanced DNS Security
identify known URLs and domains associated with this activity as malicious.
organisation
DNS Security
Cloud-Delivered Security Services for the Next-Generation Firewall
Advanced URL Filtering
and
Advanced DNS Security
identify known URLs and domains associated with this activity as malicious.
May 9
Threat actors exploited the CVE-2026-0300 zero-day in Palo Alto Networks firewalls for nearly a month.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-0300
On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also
added
the CVE-2026-0300 zero-day to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable firewalls by Saturday midnight, May 9.
attribution
Known Exploited
On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also
added
the CVE-2026-0300 zero-day to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable firewalls by Saturday midnight, May 9.
tactic
T1588.006 - Vulnerabilities
On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also
added
the CVE-2026-0300 zero-day to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable firewalls by Saturday midnight, May 9.
attribution
KEV
On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also
added
the CVE-2026-0300 zero-day to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable firewalls by Saturday midnight, May 9.
attribution
Federal Civilian Executive Branch
On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also
added
the CVE-2026-0300 zero-day to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable firewalls by Saturday midnight, May 9.
attribution
FCEB
On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also
added
the CVE-2026-0300 zero-day to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable firewalls by Saturday midnight, May 9.
May 12
Threat actors exploited a zero-day vulnerability in the Palo Alto Networks firewall for nearly two weeks.
Click on any entity below to view its context and source!
organisation
the Autonomous Validation Summit
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
general_metric
14 May
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
May 13
Palo Alto Networks' VM-series firewalls were exploited for nearly a month.
Click on any entity below to view its context and source!
organisation
Palo Alto Networks VM-series
Palo Alto Networks VM-series firewalls exposed online (Shadowserver)
Palo Alto Networks
told BleepingComputer yesterday
that the flaw doesn't impact Cloud NGFW or Panorama appliances and that it's still working on releasing patches, with the first ones expected to roll out next Wednesday, May 13.
organisation
BleepingComputer
Palo Alto Networks VM-series firewalls exposed online (Shadowserver)
Palo Alto Networks
told BleepingComputer yesterday
that the flaw doesn't impact Cloud NGFW or Panorama appliances and that it's still working on releasing patches, with the first ones expected to roll out next Wednesday, May 13.
organisation
Panorama
Palo Alto Networks VM-series firewalls exposed online (Shadowserver)
Palo Alto Networks
told BleepingComputer yesterday
that the flaw doesn't impact Cloud NGFW or Panorama appliances and that it's still working on releasing patches, with the first ones expected to roll out next Wednesday, May 13.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
EarthWorm
Earthworm is an
open-source
network tunneling tool written in C that operates on Windows, Linux, macOS and ARM/MIPS-based platforms.
Consequently, this campaign demonstrates that operational restraint—specifically the use of non-persistent access windows—is a primary factor in maintaining long-term residency on edge infrastructure.
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
Linux
Affected Product
EarthWorm
Earthworm is an
open-source
network tunneling tool written in C that operates on Windows, Linux, macOS and ARM/MIPS-based platforms.
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
Macos
Affected Product
EarthWorm
Earthworm is an
open-source
network tunneling tool written in C that operates on Windows, Linux, macOS and ARM/MIPS-based platforms.
Metrics
infrastructure
11.1
Software Version
Decoder capabilities necessitate PAN-OS 11.1 or a later version for Threat ID support.
Metrics
infrastructure
82.080.467
Software Version
+82.080.467.8774
Advanced WildFire
The
Advanced WildFire
machine-learning models and analysis techniques have been reviewed and updated in light of indicators associated with this activity.
Metrics
infrastructure
67.206.213
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
136.0.8
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
146.70.100
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
149.104.66
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
2.0
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
2.0-linux
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
532.31
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
5.5
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
10.0
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
537.36
Software Version
Indicators of Compromise
67.206.213[.]86
136.0.8[.]48
146.70.100[.]69 (C2 Staging)
149.104.66[.]84
hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0 (Attacker User Agent String)
/var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate (Tunneling Tools)
/tmp/.c
Metrics
infrastructure
138.0.0
Software Version
Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0 (Attacker User Agent String)
/var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate (Tunneling Tools)
/tmp/.c
Intelligence Sources
Palo Alto
2026-05-07
BleepingComputer
2026-05-07
Palo Alto Networks firewall zero-day exploited for nearly a month
BleepingComputer
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-05-08T06:06
Comprehensive Tactical Telemetry
Highly Correlated Entities
44x
organisation
Identified Entity
PAN
entity
13x
infrastructure
Software Version
11.1
version
8x
timeline
Temporal Reference
April 9, 2026
date
7x
attribution
Attributing Entity
the U.S. Cybersecurity and Infrastructure Security Agency
authority
5x
tactic
Cyber Operation Type
Remote Code Execution
tactic
5x
target region
Target Country
United Kingdom
country
4x
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
3x
target region
Target Region
NORTH_AMERICA
region
3x
infrastructure
Affected Product
Windows
software
2x
threat actor
APT Group
Volt Typhoon
actor
2x
general metric
+1
866
+1
Contextual Telemetry
Context Block
13 METRICS
vulnerability
Exploited CVE
CVE-2026-0300
cve
general metric
Cve-2026
300
cve-2026
general metric
Os Series Firewalls
5,400
os series firewalls
general metric
Asia
2,466
asia
general metric
North America
1,998
north america
source region
Origin Country
China
country
general metric
Binding Operational Directive
26
binding operational directive
general metric
May
14
may
general metric
Incident
42
incident
general metric
+65.6983.8730
50
+65.6983.8730
general metric
Pan Os
11
pan os
general metric
Step
6
step
general metric
Threat Id
510,019
threat id
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.