Critical Unauthenticated RCE in Palo Alto PAN‑OS (CVE‑2026‑0300) Exploited by Nation‑State Actors
What It Is – Palo Alto Networks disclosed a critical buffer‑overflow vulnerability (CVE‑2026‑0300) in the User‑ID Authentication Portal of PAN‑OS. The flaw permits unauthenticated remote code execution with root privileges on PA‑Series and VM‑Series firewalls.
Exploitability – Unit 42 has observed active exploitation for nearly a month. Threat actors have deployed publicly‑available tunneling tools (EarthWorm, ReverseSocks5) and performed credential‑theft and log‑wiping. CVSS v3.1 is rated 9.8 (Critical).
Affected Products – PAN‑OS 12.1 < 12.1.4‑h5, 11.2 < 11.2.4‑h17, 11.1 < 11.1.4‑h33, and related VM‑Series releases. Cloud NGFW instances are not affected.
TPRM Impact –
- Compromise of a firewall gives attackers unrestricted lateral movement across a vendor’s network, exposing downstream customers.
- Persistent root access enables covert data exfiltration and long‑term espionage, raising supply‑chain risk for any organization that relies on Palo Alto firewalls.
Recommended Actions –
- Immediately restrict external access to the User‑ID Authentication Portal to trusted internal IPs.
- Apply the latest PAN‑OS patches (12.1.4‑h5, 11.2.4‑h17, 11.1.4‑h33) as soon as they become available.
- Conduct a forensic review of firewall logs for signs of EarthWorm or ReverseSocks5 tunnels.
- Rotate any credentials that may have been harvested from compromised firewalls.
- Update incident‑response playbooks to include detection of unauthenticated RCE attempts against PAN‑OS.
Source: Security Affairs – Nation‑state actors exploit Palo Alto PAN‑OS zero‑day for weeks