CL-STA-1132 (PAN-OS CVE-2026-0300 exploitation cluster, likely state-sponsored)

Current state: actively in-the-wild against internet-facing PAN-OS PA-Series / VM-Series firewalls since approximately 2026-04-09; the KEV deadline (2026-05-09) expired with no patch available and the staged patch window runs 2026-05-13 → 2026-05-28. Post-exploitation tradecraft per Unit 42 and the daily 2026-05-09 UPDATE is consistent: shellcode injection into nginx worker processes, EarthWorm / ReverseSocks5 tunnelling, Python implants under /var/tmp/linuxupdate and /tmp/.c; the daily UPDATE additionally records rogue admin accounts named svc-health-check-[6-digit-numeric], PAN-OS credential-store theft, and Active Directory enumeration via OSPF queries. Unit 42's 2026-05-08 update added explicit EarthWorm / ReverseSocks5 framing to the cluster (covered as marginal delta in the 2026-05-10 daily). Outstanding question for defenders into 2026-W20: with patches landing 2026-05-13 → 2026-05-28, the at-risk window remains open into next week's reporting and retrospective-log review for the svc-health-check- pattern across the 2026-04-09 → present period is the highest-priority hunt action. (Daily references: 2026-05-07 deep dive · 2026-05-09 UPDATE.)