CL-STA-1132 — PAN-OS CVE-2026-0300 exploitation cluster: disclosure-to-deadline-to-deadline-expiry inside the window

The PAN-OS Captive Portal zero-day chain compressed an entire incident-response cycle into one ISO week. 2026-05-06 — Palo Alto disclosed CVE-2026-0300 (CVSS 9.3 unauthenticated root RCE); CERT-EU issued a rare Critical Advisory; CISA listed in KEV with deadline 2026-05-09; Unit 42 attributed active exploitation since 2026-04-09 to CL-STA-1132 and characterised it as likely state-sponsored (Palo Alto PSIRT, 2026-05-06 · CERT-EU 2026-006, 2026-05-06 · Unit 42, 2026-05-06 · daily 2026-05-07 deep dive). 2026-05-08 — KEV deadline announced as the next day; mitigation hardening (disable Captive Portal, restrict to internal CIDR, Threat ID 510019) repeated; daily flagged that organisations must confirm mitigation by today before close-of-business (daily 2026-05-08). 2026-05-09 — KEV deadline expired today, no patch exists; vendor confirmed earliest patches at 10.1.14 / 10.2.12 / 11.0.5 / 11.1.4 expected 2026-05-13; Unit 42 published post-exploitation cluster framing — rogue admin account name pattern svc-health-check-[6-digit-numeric], Python tunnelling implants under /var/tmp/linuxupdate / /tmp/.c, OSPF-based internal AD reconnaissance; observed dwell time ~20 days from initial compromise to second-device exploitation on a tracked victim (daily 2026-05-09 UPDATE). 2026-05-10 — Unit 42 added EarthWorm / ReverseSocks5 tunnelling specificity (already adjacent to the prior framing; marginal delta over the cluster narrative).

The campaign-state lens a daily reader cannot see from one day: every organisation with an internet-facing PAN-OS Captive Portal that did not disable or restrict it during 2026-W19 is in the same posture on 2026-W20 — still no patch, still exposed, still inside CL-STA-1132's targeting window. Retrospective log review for the svc-health-check- account pattern, anomalous outbound from the firewall management IP, and unexpected nginx child processes back-to-back-to-back through 2026-04-09 is the highest-priority hunting action for the new week. ATT&CK profile: T1190, T1055, T1003, T1572, T1018 Remote System Discovery.