Overview
- CISA, which added the flaw to its Known Exploited Vulnerabilities catalog Wednesday, gave federal agencies until May 9 to secure exposed devices.
- Palo Alto says exploitation remains limited and targets portals reachable from the internet, with Unit 42 tracking the activity as cluster CL-STA-1132 tied to suspected state-sponsored tradecraft.
- Vendor telemetry shows attempts starting April 9 progressed to remote code execution a week later through shellcode injected into an nginx worker on a firewall.
- After access, the intruders cleared crash logs, enumerated Active Directory with the firewall’s service account, and dropped EarthWorm and ReverseSocks5 to tunnel traffic.
- Fixes begin May 13 with more on May 28, and admins should restrict or disable the portal, as internet scans still find thousands of PAN-OS instances exposed.