216.73.217.86

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

· Published 07/05/2026 07:56 · Modified 08/05/2026 09:19

Export JSON

Essential information

Published
07/05/2026 07:56
Modified
08/05/2026 09:19
Tags
2026-05-07 buffer overflow earthworm pan-os reversesocks5 tunneling tools zero-day
Related entities
12 vulnerabilities (cve), 4 observables, 1 intrusion sets (apt), 20 techniques (mitre), 2 malware

Description

A vulnerability in the User-ID Authentication Portal of software allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. Limited exploitation has been observed starting April 9, 2026, by a likely state-sponsored threat cluster. Attackers successfully achieved remote code execution by injecting shellcode into nginx worker processes. Post-exploitation activities included deployment of and , Active Directory enumeration using compromised firewall credentials, and systematic log destruction to evade detection. The attackers demonstrated operational discipline with intermittent interactive sessions over multiple weeks, using open-source tools instead of proprietary malware to minimize detection. The vulnerability poses elevated risk when the portal is exposed to untrusted networks or the public internet.

External references