TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Palo Alto Unit 42

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

Justin Moore and Unit 42 · 7 hours ago · Read original ↗

ATT&CK techniques detected

11 predictions
T1190Exploit Public-Facing Application
99%
"threat brief : exploitation of pan - os captive portal zero - day for unauthenticated remote code execution executive summary on may 6, 2026, palo alto networks released a security advisory for cve - 2026 - 0300, identifying a buffer overflow vulnerability in the user - id™ authe…"
T1190Exploit Public-Facing Application
93%
"deployment of publicly available tunneling tools ( earthworm, reversesocks5 ), active directory enumeration using credentials likely obtained from the firewall, and the systematic destruction of logs and other evidence of compromise. palo alto networks cortex xpanse can identify …"
T1572Protocol Tunneling
92%
"deleted the setuserid ( suid ) privilege escalation binary. on april 29, 2026, the attackers conducted a security assertion markup language ( saml ) flood against the previously targeted device, which promoted a second device to active, inheriting the same internet - facing traff…"
T1190Exploit Public-Facing Application
91%
"##sable response pages in the interface management profile attached to every l3 interface in any zone where untrusted / internet traffic can ingress. keep response pages enabled only on interfaces in trust / internal zones where legitimate users ' browsers ingress. refer to step …"
T1572Protocol Tunneling
91%
"t1090 ). - chains multiple transfer modes to create multi - hop cascaded network tunnels ( t1572 ). - encapsulates traffic for protocols like rdp and ssh within socks tunnels ( t1572 ). earthworm has reportedly been used by the threat actor behind cl - sta - 0046, volt typhoon, u…"
T1190Exploit Public-Facing Application
90%
"help block attacks for this vulnerability by enabling threat id 510019 from applications and threats content version 9097 - 10022. decoder capabilities necessitate pan - os 11. 1 or a later version for threat id support. cloud - delivered security services for the next - generati…"
T1068Exploitation for Privilege Escalation
87%
"to the public internet or untrusted networks. adhering to best practice guidelines by restricting user - id authentication portal access exclusively to trusted internal ip addresses and ensuring the portal is not publicly reachable will greatly mitigate this risk. current scope o…"
T1190Exploit Public-Facing Application
85%
"##uthenticated remote code execution palo alto networks customers can leverage a variety of product protections and updates to identify and defend against this threat. if you think you might have been compromised or have an urgent matter, get in touch with the unit 42 incident re…"
T1105Ingress Tool Transfer
52%
"/ v2. 2. 0 / reversesocks5 - v2. 2. 0 - linux - amd64. tar [. ] gz ( reversesocks5 download ) - e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 ( earthworm ) - safari / 532. 31 mozilla / 5. 5 ( windows nt 10. 0 ; win64 ; x64 ) applewebkit / 537. 36 ( khtml, like …"
T1090.001Internal Proxy
51%
"deleted the setuserid ( suid ) privilege escalation binary. on april 29, 2026, the attackers conducted a security assertion markup language ( saml ) flood against the previously targeted device, which promoted a second device to active, inheriting the same internet - facing traff…"
T1090.001Internal Proxy
43%
"t1090 ). - chains multiple transfer modes to create multi - hop cascaded network tunnels ( t1572 ). - encapsulates traffic for protocols like rdp and ssh within socks tunnels ( t1572 ). earthworm has reportedly been used by the threat actor behind cl - sta - 0046, volt typhoon, u…"

Summary

Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details.

The post Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution appeared first on Unit 42.