You are currently viewing CL-STA-1132 Weaponizes PAN-OS RCE for Silent Root-Level Takeovers

CL-STA-1132 Weaponizes PAN-OS RCE for Silent Root-Level Takeovers

  • Post author:
  • Reading time:4 mins read

Nation-state threat actors are increasingly targeting network edge infrastructure-particularly firewalls and authentication portals-to achieve stealthy and high-impact compromises. Recent intelligence from Palo Alto Networks Unit 42 and public reporting highlights how a suspected state-sponsored cluster, CL-STA-1132, has actively exploited a critical PAN-OS zero-day vulnerability to gain unauthenticated root-level access and maintain covert persistence.

This campaign reflects a broader trend in modern cyber operations: weaponizing edge devices with minimal noise, leveraging zero-day vulnerabilities combined with stealth-focused post-exploitation techniques to enable long-term espionage and lateral movement.

Background on CL-STA-1132 Activity

CL-STA-1132 is a likely state-sponsored threat cluster tracked by Unit 42, engaged in targeted exploitation of high-value infrastructure.

Unlike traditional opportunistic attacks, this campaign emphasizes:

  • Stealth-driven intrusion techniques
  • Use of zero-day exploits for initial access
  • Rapid log evasion and forensic cleanup
  • Reliance on open-source tooling instead of custom malware

The activity aligns with broader nation-state espionage operations, where attackers prioritize long-term access and intelligence collection over immediate disruption.

This campaign demonstrates a highly targeted and controlled exploitation effort focused on enterprise perimeter defenses.

Primary Targets

  • Enterprise environments using Palo Alto PAN-OS firewalls
  • Organizations with internet-exposed Captive Portal (User-ID Authentication Portal)
  • Critical infrastructure and enterprise networks relying on perimeter security devices

Vulnerability Details

CVE-2026-0300

  • Vulnerability: Unauthenticated Remote Code Execution (Pre-Auth) – Buffer Overflow
  • CVSS Score: 9.3 (Critical)
  • EPSS Score: 5.29%
  • Affected Products: Palo Alto Networks PAN-OS
  • Affected Versions:
    • PAN-OS 12.1: <12.1.4-h5, <12.1.7.
    • PAN-OS 11.2: <11.2.4-h17, <11.2.7-h13, <11.2.10-h6, <11.2.12.
    • PAN-OS 11.1: <11.1.4-h33, <11.1.6-h32, <11.1.7-h6, <11.1.10-h25, <11.1.13-h5, <11.1.15.
    • PAN-OS 10.2: <10.2.7-h34, <10.2.10-h36, <10.2.13-h21, <10.2.16-h7, <10.2.18-h6.
  • Patch: Apply vendor patches as soon as available (This issue will be fixed in upcoming releases of PAN-OS.)

Tactics and Techniques

  • TA0001 – Initial Access: Exploitation of public-facing Captive Portal via crafted packets
  • TA0002 – Execution: Shellcode execution within nginx worker process
  • TA0006 – Credential Access: Extraction of credentials via compromised firewall
  • TA0008 – Lateral Movement: Use of stolen credentials to access internal systems
  • TA0040 – Impact Avoidance (Defense Evasion): Systematic log deletion and crash artifact cleanup

Indicators of Compromise (IOCs)

Network Indicators

  • 67.206.213[.]86
  • 136.0.8[.]48
  • 146.70.100[.]69 (C2 Staging)
  • 149.104.66[.]84
  • hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
  • hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)

Malware / Impact Indicators

  • EarthWorm tunneling tool (SHA256):
    e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584
  • ReverseSocks5 tunneling tool deployment

Infection Method

Initial Access

Attackers exploited the PAN-OS Captive Portal vulnerability (CVE-2026-0300) by sending specially crafted network packets to internet-exposed firewalls. No authentication was required, making this a pre-auth remote exploit.

Exploitation

Successful exploitation allowed attackers to:

  • Execute arbitrary commands as root
  • Inject shellcode into firewall processes
  • Gain full control over the affected device

Payload Delivery

  • Rather than deploying heavy malware, attackers used: EarthWorm (network tunneling tool) and ReverseSocks5 (proxy tunneling utility)
  • This approach: Reduced forensic footprint and blended activity with legitimate system behavior

Execution & Persistence

Persistence was achieved through:

  • Continued control of compromised firewall
  • Use of legitimate services and credentials
  • Avoidance of traditional persistence artifacts

Attackers avoided disk-based malware, relying instead on:

  • Memory-based execution
  • Native system capabilities

Command and Control (C2)

  • Communication occurred through compromised firewall interfaces
  • Leveraged tunneling tools for internal pivoting
  • Used authenticated sessions to maintain control

Attack Flow

Initial Access (PAN-OS CVE-2026-0300 exploitation) -> Root-Level Exploitation (command execution & shellcode injection) -> Payload Delivery (EarthWorm, ReverseSocks5) ->Execution & Persistence (memory-based, legitimate access) -> Command and Control (firewall abuse and tunneling)

Mitigation Steps

  • Restrict access to Captive Portal (trusted IPs only)
  • Disable the portal if not required
  • Apply vendor patches as soon as available
  • Monitor for unusual firewall-originated traffic
  • Enable advanced threat detection signatures
  • Audit firewall configurations and exposure

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.