{ "Event": { "analysis": "1", "date": "2026-05-06", "extends_uuid": "", "info": "[Threat Intel] Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution", "protected": false, "publish_timestamp": "1779546825", "published": true, "threat_level_id": "1", "timestamp": "1779546825", "uuid": "8e814525-08af-4e45-a9b3-9402b98b3e88", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0afe32", "local": false, "name": "misp-galaxy:producer=\"Palo Alto\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#790faf", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Direct Network Flood - T1498.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Account - T1087.002\"", "relationship_type": "" }, { "colour": "#aad818", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SSH - T1021.004\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#657ac3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Protocol Tunneling - T1572\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#71ecdb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Manipulation - T1098\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#6d779a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Privilege Escalation - T1068\"", "relationship_type": "" }, { "colour": "#e66f0c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Accounts - T1078.002\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#3970d7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"vulnerability\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#150052", "local": false, "name": "rectifyq:sub-category=\"zero-day\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238028", "to_ids": false, "type": "link", "uuid": "7e5bcf8e-b92d-465a-9d65-9220a2a239db", "value": "https://unit42.paloaltonetworks.com/captive-portal-zero-day/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778238028", "to_ids": false, "type": "text", "uuid": "0e073666-1fda-4751-89a7-2a68e538031a", "value": "A buffer overflow vulnerability in the User-ID Authentication Portal of PAN-OS software allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. Limited exploitation has been observed starting April 9, 2026, by a likely state-sponsored threat cluster. Attackers successfully achieved remote code execution by injecting shellcode into nginx worker processes. Post-exploitation activities included deployment of EarthWorm and ReverseSocks5 tunneling tools, Active Directory enumeration using compromised firewall credentials, and systematic log destruction to evade detection. The attackers demonstrated operational discipline with intermittent interactive sessions over multiple weeks, using open-source tools instead of proprietary malware to minimize detection. The vulnerability poses elevated risk when the portal is exposed to untrusted networks or the public internet." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778238028", "to_ids": false, "type": "text", "uuid": "48c493d9-cbf8-4be4-b204-ad258b33066b", "value": "Name: Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution\nAuthor: AlienVault\nAdversary: CL-STA-1132\nTags: [\"zero-day\", \"pan-os\", \"buffer overflow\", \"reversesocks5\", \"earthworm\", \"tunneling tools\"]\nTgtd countries: []\nMlwr families: [\"EarthWorm\", \"ReverseSocks5\"]\nAttack_ids: [\"T1498.001\", \"T1087.002\", \"T1021.004\", \"T1071\", \"T1190\", \"T1055\", \"T1572\", \"T1070.001\", \"T1016\", \"T1090\", \"T1098\", \"T1562.001\", \"T1078\", \"T1068\", \"T1078.002\", \"T1070.004\", \"T1071.001\", \"T1018\", \"T1105\", \"T1021.001\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1778238028", "to_ids": false, "type": "threat-actor", "uuid": "38b4043a-2a6f-4531-b389-bffeb383f49f", "value": "CL-STA-1132" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778947573", "to_ids": true, "type": "ip-dst", "uuid": "cfca9741-fb2f-4834-be17-5fa54fbead32", "value": "149.104.66.84", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238028", "to_ids": false, "type": "vulnerability", "uuid": "95ad42d5-ffd3-4a60-9488-b7ff40a900de", "value": "CVE-2023-33538" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238028", "to_ids": false, "type": "vulnerability", "uuid": "2609201e-68d2-46d1-872c-3a90ae6fc98f", "value": "CVE-2025-55182" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238028", "to_ids": false, "type": "vulnerability", "uuid": "45c6bcd6-be93-4d02-9545-23b3bda3e2e8", "value": "CVE-2025-66478" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238028", "to_ids": false, "type": "vulnerability", "uuid": "e1049f21-7edb-4b9c-ae9b-8f2c6864e33a", "value": "CVE-2025-14847" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238028", "to_ids": false, "type": "vulnerability", "uuid": "8077a467-7519-4e10-a063-9753e9fc5b41", "value": "CVE-2026-1281" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238028", "to_ids": false, "type": "vulnerability", "uuid": "c0d3dc76-f46f-4513-a917-02119729b355", "value": "CVE-2026-1340" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238028", "to_ids": false, "type": "vulnerability", "uuid": "7619a560-2050-4192-bcf4-eafb71453e1d", "value": "CVE-2026-1731" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238028", "to_ids": false, "type": "vulnerability", "uuid": "8ae810c3-2d7a-4634-a867-5b4fca2be3cf", "value": "CVE-2025-0921" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238028", "to_ids": false, "type": "vulnerability", "uuid": "a4a0866e-ec60-4cce-bb89-fdb3a3f3c62d", "value": "CVE-2025-23304" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238028", "to_ids": false, "type": "vulnerability", "uuid": "24aa41e0-ad7b-49b1-b0a4-e3b4713fc4b4", "value": "CVE-2026-22584" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238028", "to_ids": false, "type": "vulnerability", "uuid": "57e4e471-6191-4ea1-9e24-d5979551aaed", "value": "CVE-2026-31431" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778947594", "to_ids": true, "type": "ip-dst", "uuid": "b2c961f6-3d96-4dea-8e74-78802d376f26", "value": "67.206.213.86", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238028", "to_ids": false, "type": "vulnerability", "uuid": "7c58db43-05fe-4b4d-b663-f4f783214808", "value": "CVE-2026-0300" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778947615", "to_ids": true, "type": "ip-dst", "uuid": "3880202c-3461-44b0-932d-0cbafe6ee459", "value": "136.0.8.48", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778947636", "to_ids": true, "type": "ip-dst", "uuid": "349ef2e0-92c8-475e-b85b-946bc70994a5", "value": "146.70.100.69", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "EarthWorm Download", "deleted": false, "disable_correlation": false, "timestamp": "1778947658", "to_ids": true, "type": "url", "uuid": "fdc6a67e-7442-4d43-9f8c-7d4533966ac2", "value": "http://146.70.100.69:8000/php_sess", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ReverseSocks5 Download", "deleted": false, "disable_correlation": false, "timestamp": "1778947679", "to_ids": true, "type": "url", "uuid": "2a840135-2d0d-4732-b6ed-a64f0f4515f9", "value": "https://github.com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar.gz", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778942978", "to_ids": false, "type": "malware-type", "uuid": "2c161802-f2f7-46f1-b714-ba9bca53919a", "value": "EarthWorm", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"APT41\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Volt Typhoon\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546825", "uuid": "9950fc6c-5979-4a53-875e-9869dc8f7954", "Attribute": [ { "category": "Payload delivery", "comment": "EarthWorm", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546824", "to_ids": true, "type": "md5", "uuid": "ee55268e-a25e-4504-b972-c9bcdc7db8d6", "value": "96f70172f4f20181395e7af147dfa497", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "EarthWorm", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546824", "to_ids": true, "type": "sha1", "uuid": "bef8a2d5-96a0-4229-aaff-f955e5c9f8c1", "value": "d60e484f8681bd4ca03c2632d2b9409ccc3e1424", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "EarthWorm", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546825", "to_ids": true, "type": "sha256", "uuid": "0d36318c-6069-4da9-8ea5-8e752d28beaa", "value": "e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778945320", "to_ids": true, "type": "ssdeep", "uuid": "76918d69-c3d6-4f03-91f9-e2fc20b21b31", "value": "384:fgBuJMFEn33PW0X+AumAMZdRdbUVpDiJumRpRNc2cZ8mT4O:4/FA3PWRAZAMZdRg+vmZ8Gv" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778945320", "to_ids": false, "type": "size-in-bytes", "uuid": "af36aa51-4886-4f2f-ab26-db9e274d7271", "value": "32680" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778945320", "to_ids": true, "type": "vhash", "uuid": "e2260ada-38e2-4da0-9104-b8b72703ea47", "value": "3009d2a69d250643da3c4b9519ec07e7" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778945320", "to_ids": true, "type": "filename", "uuid": "94689be6-1bcb-48be-97c5-db650f8a0210", "value": "object51.application%2foctet-stream" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778945320", "to_ids": false, "type": "text", "uuid": "2544219b-ef89-4070-84c4-56bee200c141", "value": "EarthWorm\r\nType Description: ELF\nMicrosoft: HackTool:Linux/EarthWorm.B!MTB\nVT Total Detection:32/64\nFirst Submission:2016-04-08T04:14:30.000000+00:00\nLast Submission:2026-04-29T11:54:15.000000+00:00" } ] } ] } }