PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage

2026-05-07

1 min read

by info@thehackernews.com (The Hacker News)

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Palo Alto Networks disclosed a critical RCE vulnerability (CVE-2026-0300) in PAN-OS being actively exploited by state-sponsored threat actors.

•CVE-2026-0300 is a buffer overflow in PAN-OS User-ID Authentication Portal with CVSS 9.3/8.7 enabling unauthenticated remote code execution with root privileges
•Exploitation began April 9, 2026, progressing to successful RCE within a week through shellcode injection into nginx worker processes
•Post-exploitation includes Active Directory enumeration and deployment of open-source tools EarthWorm and ReverseSocks5 linked to China-nexus hacking groups
•Attackers cleared crash messages, deleted nginx records, and removed core dump files to cover tracks
•Nation-state actors increasingly target edge-network assets including firewalls, routers, and VPN solutions for privileged access

Related Articles