Palo Alto Networks PAN-OS CVE-2026-0300: State-Sponsored Zero-Day RCE Under Active Exploitation Since April

A critical buffer overflow in Palo Alto Networks PAN-OS Captive Portal (CVE-2026-0300, CVSS 9.3) has been actively exploited by a likely state-sponsored threat actor (tracked as CL-STA-1132) since at least April 9, 2026 — four weeks before public disclosure. The unauthenticated vulnerability allows root-level remote code execution on PA-Series and VM-Series firewalls. Attackers injected shellcode into nginx worker processes, cleared crash logs, deleted crash dumps, and deployed tunneling tools with root privileges. They also conducted Active Directory enumeration using firewall service account credentials and used SAML flood attacks to promote HA peers for lateral movement. Shadowserver identified 5,800+ VM-Series instances exposed on the public internet. CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities catalog on May 6 with a May 9 remediation deadline for federal agencies. First patches are expected May 13, 2026.