CL-STA-1132 — likely state-sponsored exploitation cluster for CVE-2026-0300 (PAN-OS)

If you did nothing this week: any PA-Series or VM-Series firewall running PAN-OS 12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21, or 10.2.16-h7 with User-ID Authentication Portal / Captive Portal exposed to untrusted IPs has been within CL-STA-1132's exploitation window since 2026-04-09 (W19 baseline) and will remain so until 2026-05-28 — eleven calendar days past today. The Palo Alto PSIRT advisory was updated 2026-05-16 confirming the staggered two-wave schedule (wave 1 landed 2026-05-13 for 11.2.7-h13 / 11.2.10-h6 / 11.1.4-h33 / 11.1.6-h32 / 11.1.10-h25 / 11.1.13-h5 / 10.2.10-h36 / 10.2.18-h6; wave 2 covers the remaining branches on 2026-05-28). Limited ITW exploitation continues (Palo Alto PSIRT CVE-2026-0300; daily 2026-05-14 UPDATE; daily 2026-05-13 UPDATE).

The interim mitigation remains the only available control for wave-2 build-streams: restrict User-ID Authentication Portal to trusted zones, disable Response Pages on external-facing L3 interface management profiles, and (for Threat Prevention subscribers on PAN-OS ≥ 11.1 with content version ≥ 9097-10022) enable Threat ID 510019. The retrospective-hunt artefact set documented in W19 — svc-health-check-NNNNNN rogue-admin accounts, Python implants under /var/tmp/linuxupdate, /var/tmp/linuxap, and /tmp/.c — remains the right starting point for organisations exposed during the four-and-a-half-week pre-patch window between 2026-04-09 and their eventual upgrade date.

The PAN-OS staged-patch arc began in W19 with limited-ITW exploitation against User-ID Authentication Portal exposed firewalls (CL-STA-1132 since 2026-04-09), continued into W20 with wave 1 landing on 2026-05-13 (daily 2026-05-13 UPDATE) for eight build streams, and now extends a further eleven days as the PSIRT advisory was updated 2026-05-16 confirming wave 2 delayed to 2026-05-28 for the remaining eight build streams (Palo Alto PSIRT CVE-2026-0300; daily 2026-05-14 UPDATE).

The cross-day learning for Swiss / EU defenders is that PSIRT-stated patch dates on actively-exploited bugs are still subject to slip and the operational window is what matters, not the advisory's first-quoted date. The interim mitigation remains identical (User-ID Auth Portal scoped to trusted zones, Response Pages off external L3 interfaces, Threat ID 510019 for ≥ 11.1 + content ≥ 9097-10022); the retrospective hunt for svc-health-check-NNNNNN admin accounts and Python implants under /var/tmp/linuxupdate / /var/tmp/linuxap / /tmp/.c remains the only signal a CL-STA-1132-victimised organisation will have between the pre-patch compromise and the eventual upgrade.

UPDATE (originally covered 2026-05-07 deep dive, last updated 2026-05-13): Palo Alto Networks PSIRT updated its CVE-2026-0300 advisory on 2026-05-13 to reflect first-wave patch availability but to also disclose a second patch wave with an ETA of 2026-05-28 for eight commonly-deployed build streams: PAN-OS 12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21 and 10.2.16-h7 (Palo Alto Networks PSIRT, updated 2026-05-13). Operators running any of those builds cannot patch yet; the interim mitigation — restrict User-ID Authentication Portal to trusted zones, or disable Captive Portal if unused — is the only option until 28 May. CL-STA-1132 in-the-wild exploitation continues; the cluster's tradecraft (EarthWorm / ReverseSocks5 tunnels, AD enumeration via firewall service account, deliberate log destruction) is unchanged from prior coverage (Unit 42 — Captive Portal Zero-Day, 2026-05-06).

The CISA KEV entry was updated on 2026-05-13 to note "Palo Alto has released a variety of patches"; the FCEB remediation deadline (2026-05-09) has already expired. Per PD-13 the KEV deadline is not the operational driver in CH/EU — the active-exploitation status, the affected-build delay, and the CL-STA-1132 attribution are. The wave-2 delay specifics are documented in the vendor PSIRT advisory and were not independently corroborated by HIGH-reliability third-party reporting in window; treat the eight-build "ETA 05/28" list as vendor-primary and verify against the live PSIRT entry before any rollout planning.

UPDATE (originally covered 2026-05-12): Palo Alto Networks released the first wave of patched PAN-OS builds on 2026-05-13 for the actively-exploited Captive Portal pre-auth RCE, covering PAN-OS 10.2, 11.1, 11.2 and 12.1 (Palo Alto Networks PSIRT, last updated 2026-05-07; patch table confirmed 2026-05-13). Concretely: PAN-OS 12.1.4-h5 (2026-05-13) plus 12.1.7 (planned 2026-05-28); PAN-OS 11.2 multiple builds staged 2026-05-13–2026-05-28; PAN-OS 11.1 and 10.2 on a similar cadence. Prisma Access, Cloud NGFW and Panorama remain unaffected. Threat Prevention signature ID 510019 remains the interim control for any unpatched instance. The CISA KEV deadline of 2026-05-09 is — per the audience-applicability rule in the daily prompt — irrelevant for CH/EU jurisdiction; the operational driver is the active exploitation by CL-STA-1132 documented previously.

UPDATE (originally covered as the 2026-05-07 deep dive; updates 2026-05-08 → 2026-05-10): Palo Alto Networks' PSIRT page for CVE-2026-0300 (last updated 2026-05-07 at time of run) now lists first-wave fixed builds with an ETA of 2026-05-13 for several mainline branches and a second wave around 2026-05-28 for the remaining branches; no patched build is yet shipped against the unauthenticated root RCE in the User-ID Authentication Portal / Captive Portal service. The CL-STA-1132 cluster attribution and the ~2026-04-09 first-observed-exploitation date come from Unit 42's separate Captive Portal Zero-Day threat bulletin, not from the PSIRT advisory itself.

Operationally: until the 05/13 first-wave builds ship, the interim Threat Prevention signature 510019 plus source-IP restriction of the captive-portal interface to trusted internal ranges remain the only defender controls for branches that do not yet have a fixed build. PA-Series and VM-Series operators with User-ID Authentication Portal or Captive Portal exposed should treat tomorrow as a pre-staged deployment window — confirm a tested rollback path, validate the interim signature is enforced (Threat Prevention licence required), and verify the captive-portal listener is reachable only from authorised source ranges. Prisma Access, Cloud NGFW and Panorama are not affected. The CISA KEV deadline (2026-05-09) has already expired for FCEB agencies and per PD-13 does not drive Swiss/EU action framing on its own — the operational driver is the actively-exploited ITW status and the imminent first-wave patch ship date.

If you did nothing this week: any PA-Series or VM-Series firewall with the User-ID Authentication Portal enabled and internet-reachable has been within the attack window since 2026-04-09 — three weeks before public disclosure (2026-05-06) and four-and-a-half weeks before the first staged patch becomes available (2026-05-13). The daily 2026-05-09 UPDATE recorded an observed dwell time of approximately 20 days from initial compromise to second-device exploitation on at least one tracked victim; the relevant retrospective-log question is whether your firewall has been compromised since mid-April, not whether it might be compromised next week.

CVE-2026-0300 (CVSS 9.3, CWE-121 stack-based buffer overflow) is an unauthenticated remote code execution in the PAN-OS User-ID Authentication Portal — a network-accessible service that a single crafted packet exploits to root on the firewall's management plane (Palo Alto Networks Security Advisory, 2026-05-06 · Unit 42 primary research, 2026-05-06). CERT-EU issued a Critical Advisory (rare designation) on disclosure day (CERT-EU 2026-006, 2026-05-06); CERT-FR followed with CERTFR-2026-AVI-0537 (CERT-FR, 2026-05-06). Unit 42 tracks the active exploitation cluster as CL-STA-1132 and characterises it as likely state-sponsored activity. Unit 42's primary research records shellcode injection into nginx worker processes, EarthWorm / ReverseSocks5 tunnelling, and Python implants under /var/tmp/linuxupdate and /tmp/.c; the daily 2026-05-09 UPDATE additionally surfaces a rogue admin name pattern svc-health-check-[6-digit-numeric] (bypassing normal admin-role RBAC), running-configuration export including pre-shared keys, and OSPF-based internal AD enumeration — a profile consistent with T1190 Exploit Public-Facing Application, T1055 Process Injection, T1003 OS Credential Dumping, and T1572 Protocol Tunneling. Patch availability is staged 2026-05-13 → 2026-05-28 across PAN-OS branches 10.2.x / 11.1.x / 11.2.x / 12.1.x; Cloud NGFW and Prisma Access are not affected. Until patches land, the operational expectations are (1) disable the Authentication Portal entirely where it is not required, (2) restrict it to trusted internal IP ranges via security policy where it is, (3) PAN-OS 11.1+ users should confirm Threat ID 510019 is in blocking mode, and (4) review authentication-portal logs and admin-account listings from 2026-04-09 onward for retrospective compromise evidence (daily 2026-05-07 deep dive; daily 2026-05-09 update).

The PAN-OS Captive Portal zero-day chain compressed an entire incident-response cycle into one ISO week. 2026-05-06 — Palo Alto disclosed CVE-2026-0300 (CVSS 9.3 unauthenticated root RCE); CERT-EU issued a rare Critical Advisory; CISA listed in KEV with deadline 2026-05-09; Unit 42 attributed active exploitation since 2026-04-09 to CL-STA-1132 and characterised it as likely state-sponsored (Palo Alto PSIRT, 2026-05-06 · CERT-EU 2026-006, 2026-05-06 · Unit 42, 2026-05-06 · daily 2026-05-07 deep dive). 2026-05-08 — KEV deadline announced as the next day; mitigation hardening (disable Captive Portal, restrict to internal CIDR, Threat ID 510019) repeated; daily flagged that organisations must confirm mitigation by today before close-of-business (daily 2026-05-08). 2026-05-09 — KEV deadline expired today, no patch exists; vendor confirmed earliest patches at 10.1.14 / 10.2.12 / 11.0.5 / 11.1.4 expected 2026-05-13; Unit 42 published post-exploitation cluster framing — rogue admin account name pattern svc-health-check-[6-digit-numeric], Python tunnelling implants under /var/tmp/linuxupdate / /tmp/.c, OSPF-based internal AD reconnaissance; observed dwell time ~20 days from initial compromise to second-device exploitation on a tracked victim (daily 2026-05-09 UPDATE). 2026-05-10 — Unit 42 added EarthWorm / ReverseSocks5 tunnelling specificity (already adjacent to the prior framing; marginal delta over the cluster narrative).

The campaign-state lens a daily reader cannot see from one day: every organisation with an internet-facing PAN-OS Captive Portal that did not disable or restrict it during 2026-W19 is in the same posture on 2026-W20 — still no patch, still exposed, still inside CL-STA-1132's targeting window. Retrospective log review for the svc-health-check- account pattern, anomalous outbound from the firewall management IP, and unexpected nginx child processes back-to-back-to-back through 2026-04-09 is the highest-priority hunting action for the new week. ATT&CK profile: T1190, T1055, T1003, T1572, T1018 Remote System Discovery.

M-Trends 2026 (published 2026-03-23, first covered 2026-05-07) reinforces three cross-cutting trends visible in this week's incidents: voice phishing surged to the second most prevalent initial-access vector at 11% (overtaking email phishing at 6%) driven by IT help-desk impersonation and SaaS OAuth token theft — directly evidenced this week in the ADT vishing → Okta SSO → Salesforce pivot and in MuddyWater's Teams external-access helpdesk pretext (§ 7); ransomware initial access via prior compromise doubled to 30% — implicit in the access-broker / ransomware-affiliate model behind Akira, Embargo, and Qilin's targeting of European victims; and edge-device persistence on VPNs, routers, and network appliances without EDR coverage remains the dominant initial-access technique for state-sponsored espionage — directly mirrored in CL-STA-1132's PAN-OS exploitation and in Ivanti EPMM's named EU victims. The reframe IOCTA does not give but M-Trends does: median dwell time globally has increased to 14 days (up from 11 in 2024) and espionage-focused intrusions average 122-day median dwell — i.e. when the Ivanti EPMM and PAN-OS post-compromise hunting horizons land on retrospective log review back to March/April, that horizon is consistent with Mandiant's observed espionage dwell envelope. (Google Cloud / Mandiant M-Trends 2026, 2026-03-23; daily 2026-05-07).

Current state: actively in-the-wild against internet-facing PAN-OS PA-Series / VM-Series firewalls since approximately 2026-04-09; the KEV deadline (2026-05-09) expired with no patch available and the staged patch window runs 2026-05-13 → 2026-05-28. Post-exploitation tradecraft per Unit 42 and the daily 2026-05-09 UPDATE is consistent: shellcode injection into nginx worker processes, EarthWorm / ReverseSocks5 tunnelling, Python implants under /var/tmp/linuxupdate and /tmp/.c; the daily UPDATE additionally records rogue admin accounts named svc-health-check-[6-digit-numeric], PAN-OS credential-store theft, and Active Directory enumeration via OSPF queries. Unit 42's 2026-05-08 update added explicit EarthWorm / ReverseSocks5 framing to the cluster (covered as marginal delta in the 2026-05-10 daily). Outstanding question for defenders into 2026-W20: with patches landing 2026-05-13 → 2026-05-28, the at-risk window remains open into next week's reporting and retrospective-log review for the svc-health-check- pattern across the 2026-04-09 → present period is the highest-priority hunt action. (Daily references: 2026-05-07 deep dive · 2026-05-09 UPDATE.)

UPDATE (originally covered 2026-05-07):

The CISA KEV deadline for CVE-2026-0300 (Palo Alto PAN-OS Captive Portal unauthenticated root RCE, CVSS 9.3) is today, 2026-05-09. Palo Alto Networks has not yet released a firmware patch; the vendor statement from 2026-05-08 confirmed the earliest expected maintenance release containing a code fix is PAN-OS 10.1.14 / 10.2.12 / 11.0.5 / 11.1.4, expected 2026-05-13. Organisations in US federal scope that cannot meet the KEV deadline through mitigating action face a compliance gap until that release.

Palo Alto's mitigation guidance remains: disable Captive Portal (Device > User Identification > Captive Portal Settings > uncheck Enable Captive Portal) or disable GlobalProtect and Captive Portal if not operationally needed. Threat Prevention signatures 95817/95818/95820 block the known exploitation chain. PA-Series hardware appliances running content update < 8765-9032 are not covered by the signatures.

Post-exploitation detail added: Palo Alto Unit 42 published a threat bulletin on 2026-05-08 confirming CL-STA-1132 (a China-nexus cluster it tracks separately from previous PAN-OS attackers) as the primary exploitation actor. Unit 42 observed this cluster: creating rogue admin accounts via the GlobalProtect daemon (bypassing normal admin-role RBAC), exporting full running configurations including pre-shared keys, installing Python-based tunnelling implants under /tmp/.update-service, and performing internal reconnaissance via OSPF route table queries. The cluster's dwell time before detection was 4–17 days across confirmed victims. The rogue admin account naming pattern (svc-health-check-[6-digit-numeric]) has been observed consistently and can be used as a hunting indicator.