Attackers chained PAN-OS flaws to seize Palo Alto firewalls and deploy malware
Threat actors exploited internet-exposed Palo Alto Networks PAN-OS management interfaces by chaining CVE-2024-0012 and CVE-2024-9474, a combination that enabled authentication bypass followed by privilege escalation to run arbitrary commands as root on affected firewall devices. Security reporting described a surge in exploitation after public disclosure, with campaigns targeting exposed firewalls and quickly moving from initial access to hands-on post-compromise activity.
Investigators observed attackers validating exploitation with OAST domains, retrieving payloads with tools such as curl and wget, and establishing Sliver command-and-control. Follow-on activity included downloads of ELF, shell script, and PHP payloads, persistence through cron jobs and web shells, suspicious TLS traffic without SNI, use of uncommon ports, reconnaissance, lateral movement, and cryptomining tied to infrastructure including herominers and xmrig. One repeatedly downloaded payload, /palofd from 38.180.147[.]18 with SHA1 90f6890fa94b25fbf4d5c49f1ea354a023e06510, was linked by open-source reporting to Spectre RAT, indicating that compromised perimeter devices were being used for broader intrusion activity rather than simple opportunistic exploitation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Public exploit repository appears for CVE-2025-0133
A GitHub repository titled for CVE-2025-0133 was published, indicating public exploit-related material had become available for that vulnerability.
Darktrace publishes retrospective on Operation Lunar Peek activity
Darktrace released its analysis of Operation Lunar Peek, summarizing the late-November 2024 exploitation wave against Palo Alto firewalls and the broader post-exploitation behaviors it observed.
Arctic Wolf reports a threat campaign targeting Palo Alto firewall devices
Arctic Wolf published a report describing a threat campaign targeting Palo Alto Networks firewall devices, corroborating active exploitation activity around the PAN-OS issue set.
Attackers deploy payloads, Sliver C2, and cryptomining after PAN-OS compromise
Post-compromise activity included exploit validation via OAST domains, payload retrieval with curl and Wget, Sliver command-and-control traffic, downloads of ELF, shell script, and PHP payloads, and in some cases reconnaissance, lateral movement, persistence, and cryptomining. One repeatedly downloaded payload, /palofd from 38.180.147[.]18, was associated by OSINT sources with Spectre RAT.
Threat actors begin exploiting exposed Palo Alto firewalls at scale
In late November 2024, Darktrace observed a spike in exploitation and post-exploitation activity targeting internet-exposed Palo Alto PAN-OS firewall devices following disclosure of CVE-2024-0012 and CVE-2024-9474.
Palo Alto PAN-OS flaws CVE-2024-0012 and CVE-2024-9474 are disclosed
CVE-2024-0012 and CVE-2024-9474 were publicly disclosed as PAN-OS vulnerabilities. Darktrace later described them as an authentication bypass in the management interface and a privilege escalation flaw that could be chained for root command execution on affected firewalls.
Palo Alto discloses CVE-2020-2034 PAN-OS command injection flaw
Palo Alto Networks published a product advisory for CVE-2020-2034, an OS command injection vulnerability affecting the PAN-OS GlobalProtect portal.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Darktrace’s view on Operation Lunar Peek: Exploitation of Palo Alto firewall devices (CVE 2024-0012 and 2024-9474)
darktrace.com
Open sourceGitHub - adhamelhansye/CVE-2025-0133: CVE-2025-0133 Exploit · GitHub
github.com
Open sourceArctic Wolf Observes Threat Campaign Targeting Palo Alto Networks Firewall Devices - Arctic Wolf
arcticwolf.com
Open sourceCVE-2020-2034 PAN-OS: OS command injection vulnerability in GlobalProtect portal
security.paloaltonetworks.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Exploited PAN-OS Captive Portal Flaw Gives Attackers Root on Exposed Firewalls
Palo Alto Networks disclosed **CVE-2026-0300**, a critical `CWE-787` buffer overflow in the PAN-OS User-ID Authentication Portal (Captive Portal) that allows **unauthenticated remote code execution as root** on affected **PA-Series** and **VM-Series** firewalls. The flaw carries a **CVSS v4 score of 9.3** when the portal is exposed to untrusted networks or the public internet, and Palo Alto confirmed limited in-the-wild exploitation against exposed portals. Affected versions span PAN-OS 10.2, 11.1, 11.2, and 12.1, while **Prisma Access, Cloud NGFW, and Panorama are not affected**. With patches not immediately available at disclosure, Palo Alto said fixed releases would begin rolling out between May 13 and May 28 and urged customers to restrict portal access to trusted internal zones or disable the feature entirely; the company also released a Threat Prevention Signature for PAN-OS 11.1 and later. U.S. **CISA** added the vulnerability to its **Known Exploited Vulnerabilities** catalog and ordered federal civilian agencies to remediate by the mandated deadline, while other national and regional cyber authorities issued parallel alerts. Palo Alto Unit 42 and multiple reports linked the activity to a likely state-sponsored cluster tracked as **CL-STA-1132**, which reportedly probed targets for weeks, injected shellcode into an `nginx` worker process, deleted crash artifacts and logs, enumerated Active Directory through firewall-linked service accounts, and used **EarthWorm** and **ReverseSocks5** tunnels for command and control and lateral movement. Researchers warned that thousands of internet-exposed PAN-OS instances remain reachable, making perimeter firewalls with exposed Captive Portal services high-priority compromise candidates.
Jun 8, 2026Critical PAN-OS Captive Portal Flaw Let Attackers Gain Root on Firewalls
Palo Alto Networks disclosed **CVE-2026-0300**, a critical `CWE-787` out-of-bounds write in the PAN-OS User-ID Authentication Portal, also known as the Captive Portal, that allows an unauthenticated attacker to achieve remote code execution as **root** on affected **PA-Series** and **VM-Series** firewalls. The flaw was reported as actively exploited in the wild and added to CISA's **Known Exploited Vulnerabilities** catalog, with exploitation observed against portals reachable from untrusted networks or the public internet. Palo Alto said **Prisma Access**, **Cloud NGFW**, and **Panorama** are not affected, while vulnerable PAN-OS branches included 10.2, 11.1, 11.2, and 12.1 below fixed releases. Reporting on observed intrusions said attackers used the firewall access for shellcode injection into `nginx` worker processes, credential extraction, Active Directory enumeration, outbound tunneling with tools such as **EarthWorm** and **ReverseSocks5**, internal pivoting, and anti-forensic log cleanup. Palo Alto began releasing patches in staged waves and urged defenders to disable the Captive Portal if unused or restrict it to trusted IPs and zones, enable available threat-prevention signatures, and treat previously exposed devices as potentially fully compromised by auditing configurations, checking admin accounts and SSH keys, rotating credentials, and monitoring for persistence or suspicious outbound connections.
May 25, 2026
Palo Alto PAN-OS Flaws Enable Root Command Execution, Privilege Escalation, and DoS
Palo Alto Networks disclosed and patched multiple vulnerabilities in **PAN-OS** affecting **PA-Series**, **VM-Series**, and **Panorama**, including `CVE-2026-0273`, an authenticated administrator command injection flaw in the **CLI** and **web management interface** that can allow arbitrary commands to run as **root**. The vendor also fixed `CVE-2026-0272`, an authenticated **CLI privilege escalation** issue, and `CVE-2026-0266`, a **stored XSS** vulnerability in the web interface. A separate issue, `CVE-2026-0269`, can trigger a **denial of service** through crafted tunnel traffic and repeatedly reboot affected firewalls, potentially forcing them into maintenance mode. Affected versions span supported **PAN-OS 12.1, 11.2, 11.1, and 10.2** release trains, while **Cloud NGFW** and **Prisma Access** were reported as unaffected. Palo Alto Networks said it was not aware of active exploitation at disclosure time and urged customers to upgrade promptly, restrict management access to trusted internal IPs, limit CLI exposure, and use hardened jump boxes; for `CVE-2026-0273`, organizations with **Threat Prevention** can also enable dedicated **Threat IDs** to help block exploit attempts when management traffic is inspectable and decrypted.
Jun 12, 2026