ctipilot.chSwitzerland · Europe · Public sector

CL-STA-1132 — likely state-sponsored exploitation cluster for CVE-2026-0300 (PAN-OS)

campaign · campaign:CL-STA-1132

Coverage timeline
1
first 2026-05-07 → last 2026-05-07
Briefs
1
1 distinct
Sources cited
6
6 hosts
Sections touched
1
active_vulns
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-07CTI Daily Brief — 2026-05-07
    active_vulnsFirst coverage. Unit 42 tracking cluster; exploitation began 2026-04-09; post-exploitation includes nginx injection, credential theft, EarthWorm/ReverseSocks5 tunneling, AD enumeration; medium confidence state-sponsored attribution.

Where this entity is cited

  • active_vulns1

Source distribution

  • cisa.gov1 (17%)
  • security.paloaltonetworks.com1 (17%)
  • attack.mitre.org1 (17%)
  • cert.europa.eu1 (17%)
  • cert.ssi.gouv.fr1 (17%)
  • unit42.paloaltonetworks.com1 (17%)

All cited sources (6)

Items in briefs about CL-STA-1132 — likely state-sponsored exploitation cluster for CVE-2026-0300 (PAN-OS) (1)

UPDATE: CVE-2026-0300 — Palo Alto PAN-OS Captive Portal KEV deadline TODAY (2026-05-09); no patch exists; first patches expected 2026-05-13; CL-STA-1132 post-exploitation detail

From CTI Daily Brief — 2026-05-09 · published 2026-05-10 · view item permalink →

UPDATE (originally covered 2026-05-07):

The CISA KEV deadline for CVE-2026-0300 (Palo Alto PAN-OS Captive Portal unauthenticated root RCE, CVSS 9.3) is today, 2026-05-09. Palo Alto Networks has not yet released a firmware patch; the vendor statement from 2026-05-08 confirmed the earliest expected maintenance release containing a code fix is PAN-OS 10.1.14 / 10.2.12 / 11.0.5 / 11.1.4, expected 2026-05-13. Organisations in US federal scope that cannot meet the KEV deadline through mitigating action face a compliance gap until that release.

Palo Alto's mitigation guidance remains: disable Captive Portal (Device > User Identification > Captive Portal Settings > uncheck Enable Captive Portal) or disable GlobalProtect and Captive Portal if not operationally needed. Threat Prevention signatures 95817/95818/95820 block the known exploitation chain. PA-Series hardware appliances running content update < 8765-9032 are not covered by the signatures.

Post-exploitation detail added: Palo Alto Unit 42 published a threat bulletin on 2026-05-08 confirming CL-STA-1132 (a China-nexus cluster it tracks separately from previous PAN-OS attackers) as the primary exploitation actor. Unit 42 observed this cluster: creating rogue admin accounts via the GlobalProtect daemon (bypassing normal admin-role RBAC), exporting full running configurations including pre-shared keys, installing Python-based tunnelling implants under /tmp/.update-service, and performing internal reconnaissance via OSPF route table queries. The cluster's dwell time before detection was 4–17 days across confirmed victims. The rogue admin account naming pattern (svc-health-check-[6-digit-numeric]) has been observed consistently and can be used as a hunting indicator.