Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking
The cybersecurity firm has not explicitly accused China of being behind the attack, but the evidence suggests it was. The post Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking appeared first on SecurityWeek .
AI Analysis
Technical Summary
CVE-2026-0300 is a zero-day vulnerability affecting the User-ID Authentication Portal of Palo Alto Networks PA and VM series firewalls, enabling unauthenticated remote code execution with root privileges. Exploitation was first attempted unsuccessfully on April 9, 2026, and successfully leveraged a week later to inject shellcode into the Nginx worker process. The attackers, likely a state-sponsored group designated CL-STA-1132, conducted log cleanup to evade detection, deployed tools with root privileges, and performed Active Directory enumeration using compromised service account credentials. They used open-source tools Earthworm (network tunneling) and ReverseSocks5 (firewall/NAT bypass), techniques commonly associated with Chinese APT groups such as Volt Typhoon and APT41. Palo Alto Networks has announced patches scheduled for May 13 and May 28, 2026, and provided mitigations to prevent exploitation until patches are available.
Potential Impact
Successful exploitation allows unauthenticated remote code execution with root privileges on affected Palo Alto Networks firewalls, enabling attackers to gain full control over the device. This can lead to stealthy persistence, network tunneling, firewall bypass, and Active Directory enumeration within the targeted environment. The attackers' ability to clean logs and remove forensic evidence increases the difficulty of detection and incident response. The attack compromises critical network security infrastructure, potentially exposing internal networks to further compromise.
Mitigation Recommendations
Palo Alto Networks has announced that patches addressing CVE-2026-0300 will be released on May 13 and May 28, 2026. Until patches are available, the vendor has provided mitigations and workarounds to prevent exploitation; customers should apply these interim measures as detailed in the official advisory. Organizations should monitor Palo Alto Networks' advisories for the release of official patches and apply them promptly once available. No indication was given that the vulnerability is already mitigated or that no action is required.
Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking
Description
The cybersecurity firm has not explicitly accused China of being behind the attack, but the evidence suggests it was. The post Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking appeared first on SecurityWeek .
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-0300 is a zero-day vulnerability affecting the User-ID Authentication Portal of Palo Alto Networks PA and VM series firewalls, enabling unauthenticated remote code execution with root privileges. Exploitation was first attempted unsuccessfully on April 9, 2026, and successfully leveraged a week later to inject shellcode into the Nginx worker process. The attackers, likely a state-sponsored group designated CL-STA-1132, conducted log cleanup to evade detection, deployed tools with root privileges, and performed Active Directory enumeration using compromised service account credentials. They used open-source tools Earthworm (network tunneling) and ReverseSocks5 (firewall/NAT bypass), techniques commonly associated with Chinese APT groups such as Volt Typhoon and APT41. Palo Alto Networks has announced patches scheduled for May 13 and May 28, 2026, and provided mitigations to prevent exploitation until patches are available.
Potential Impact
Successful exploitation allows unauthenticated remote code execution with root privileges on affected Palo Alto Networks firewalls, enabling attackers to gain full control over the device. This can lead to stealthy persistence, network tunneling, firewall bypass, and Active Directory enumeration within the targeted environment. The attackers' ability to clean logs and remove forensic evidence increases the difficulty of detection and incident response. The attack compromises critical network security infrastructure, potentially exposing internal networks to further compromise.
Mitigation Recommendations
Palo Alto Networks has announced that patches addressing CVE-2026-0300 will be released on May 13 and May 28, 2026. Until patches are available, the vendor has provided mitigations and workarounds to prevent exploitation; customers should apply these interim measures as detailed in the official advisory. Organizations should monitor Palo Alto Networks' advisories for the release of official patches and apply them promptly once available. No indication was given that the vulnerability is already mitigated or that no action is required.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/palo-alto-zero-day-exploited-in-campaign-bearing-hallmarks-of-chinese-state-hacking/","fetched":true,"fetchedAt":"2026-05-07T15:36:22.681Z","wordCount":1142}
Threat ID: 69fcb176cbff5d86100633de
Added to database: 5/7/2026, 3:36:22 PM
Last enriched: 5/7/2026, 3:36:32 PM
Last updated: 5/8/2026, 9:27:33 PM
Views: 130
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.