Nation-State Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking The cybersecurity firm has not explicitly accused China of being behind the attack, but the evidence suggests it was. By Eduard Kovacs | May 7, 2026 (11:31 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Palo Alto Networks has shared some information on the exploitation of the recently disclosed zero-day vulnerability affecting some of its firewalls. The cybersecurity firm has not directly attributed the attack to a specific threat actor or country, but the evidence seems to point to China. In an advisory published on May 6, Palo Alto Networks informed customers about CVE-2026-0300 , a vulnerability affecting the User-ID Authentication Portal of PA and VM series firewalls. The company said the flaw, which allows unauthenticated remote code execution with root privileges, had been exploited as a zero-day . Patches are expected to be released on May 13 and May 28, and in the meantime the company has shared mitigations and workarounds to prevent exploitation. Shortly after CVE-2026-0300 was disclosed, Palo Alto Networks published a blog post describing the vulnerability’s exploitation in the wild. According to the company, a “likely state-sponsored” threat group tracked as CL-STA-1132 was behind the attack. First exploitation attempts were observed on April 9, but were unsuccessful. The vulnerability was successfully leveraged one week later for remote code execution and Nginx worker process shellcode injection. Advertisement. Scroll to continue reading. “Following the compromise, the attackers immediately conducted log cleanup to mitigate detection by clearing crash kernel messages, deleting nginx crash entries and nginx crash records, as well as removing crash core dump files,” Palo Alto explained. “The attackers deployed a number of tools with root privileges four days later, before conducting Active Directory (AD) enumeration using the firewall’s service account credentials to target domain root and DomainDnsZones. Following enumeration, the attackers deleted ptrace injection evidence from the audit log and deleted the SetUserID (SUID) privilege escalation binary,” it added. The attackers deployed the open source Earthworm and ReverseSocks5 tools. The former is a network tunneling tool that enables attackers to establish a covert communications channel, while the latter allows them to bypass firewalls and NAT. The cybersecurity firm has stopped short of attributing the attacks to a specific country, but the evidence it has presented points to China as the main suspect. Earthworm and ReverseSocks5 have predominantly been used by Chinese APT groups, including Volt Typhoon and APT41 . Log destruction has also often been observed during attacks attributed to Chinese threat actors. Active Directory targeting is also a hallmark of Chinese groups, though other nation-state hackers and cybercriminals use this technique as well. “The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration,” Palo Alto noted. “This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems.” Related : Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months Related : Microsoft Patches Exploited SharePoint Zero-Day and 160 Other Vulnerabilities Related : Adobe Patches Reader Zero-Day Exploited for Months Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Claude AI Guided Hackers Toward OT Assets During Water Utility Intrusion Romanian Man Extradited to US for Role in Hacking Scheme 17 Years Ago CISA Launches ‘CI Fortify’ to Prepare Critical Infrastructure for Geopolitical Cyber Conflict Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls Microsoft Warns of Sophisticated Phishing Campaign Targeting US Organizations Critical Remote Code Execution Vulnerability Patched in Android WhatsApp Discloses File Spoofing, Arbitrary URL Scheme Vulnerabilities Trellix Source Code Repository Breached Latest News Boost Security Raises $4 Million for SDLC Defense Platform Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking Chrome 148 Rolls Out With 127 Security Fixes Attackers Could Exploit AI Vision Models Using Imperceptible Image Changes Vendor Says Daemon Tools Supply Chain Attack Contained AI Coding Agents Could Fuel Next Supply Chain Crisis Webinar Today: Securing Identity Across Humans, Machines and AI Cisco Patches High-Severity Vulnerabilities in Enterprise Products Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: ROSI for CPS Security Programs May 13, 2026 In cyber-physical systems (CPS), just one hour of downtime can outweigh an entire annual security budget. Learn how to master the Return on Security Investment (ROSI) to align security goals with the bottom-line priorities. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Sumo Logic has named Jeremy Powell as CISO and Ben Cody as SVP of Product Management. Bitdefender has appointed Frank Koelmel as Chief Revenue Officer of Business Solutions Group. John Hernandez has joined BlueVoyant as Chief Executive Officer. More People On The Move Expert Insights The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email