Palo Alto Networks warned that a suspected state-sponsored threat cluster targeted a critical vulnerability in the User ID Authentication Portal service of PAN-OS software, according to a blog post published Wednesday. The vulnerability, tracked as CVE-2026-0300, is a buffer overflow vulnerability that allows attackers to execute arbitrary code on the company’s PA Series and VM Series firewalls. 

The cybersecurity company issued an advisory on Tuesday warning that a limited number of customers had been exploited in cases where devices were exposed to the public internet or exposed to untrusted IP addresses. 

The company is “working to release software fixes, with the first updates expected to be available by May 13, according to a spokesperson.

The Cybersecurity and Infrastructure Security Agency on Wednesday added the flaw to its Known Exploited Vulnerabilities catalog. 

The initial exploitation attempts against a PAN-OS device were traced back to April 9, but were unsuccessful, according to researchers at PAN Unit 42. A week later, attackers broke through and injected shellcode into the device. The cluster is being tracked as CL-STA-1132, but researchers did not provide any details about the specific country of origin or details behind the attackers. 

Following the initial compromise, attackers worked to mitigate detection efforts by clearing crash kernel messages, deleting nginx crash entries and crash records and removing crash core dump files, said Unit 42 in its blog post. 

By late April, the attackers conducted a Security Assertion Markup Language flood against the previously targeted device, read the blog post.  

The hackers also deployed publicly available tunneling tools, including EarthWorm and ReverseSocks5.