Researchers identify Earthworm and Rever toolsets used in PAN‑OS attacks

Firewalls are supposed to be the thing standing between the internet and everything you care about. That is why this PAN‑OS story lands so hard. The initial bug already mattered because it gave attackers remote code execution on exposed Palo Alto firewalls. But the new detail is worse in a very practical way — researchers say the intruders were not just popping boxes and leaving. They were dropping real post-compromise tooling to stay in, move traffic, and cover their tracks. ### What was the actual bug? The entry point was CVE‑2026‑0300, a buffer overflow in the User‑ID Authentication Portal — the Captive Portal feature in PAN‑OS. If that service was exposed, an unauthenticated attacker could send crafted traffic and end up executing code as root on affected PA‑Series and VM‑Series firewalls. That is the highest-value foothold you can hand an intruder on a perimeter device. (unit42.paloaltonetworks.com) ### Why is a firewall foothold so dangerous? A firewall is not just another Linux box in a rack. It sits in the path of traffic, sees internal and external connections, and often holds credentials, policy data, and trust relationships that normal endpoints do not. Once an attacker gets root there, the problem stops being “one appliance is compromised” and starts becoming “the network boundary is now working for the attacker too.” watchTowr spelled out the obvious next steps — inspect or modify traffic, weaken policy enforcement, establish persistence, and pivot inward. (watchtowr.com) ### What are EarthWorm and ReverseSocks5 doing here? Unit 42 said the post-exploitation activity included EarthWorm and ReverseSocks5, both publicly available tunneling tools. ReverseSocks5 is the easier one to picture — it creates a SOCKS proxy path so an attacker can route traffic through the compromised device and reach other systems indirectly. EarthWorm plays a similar “make a tunnel where there should not be one” role, and in this campaign it showed up as part of the persistence-and-access toolkit left behind on the firewall. (watchtowr.com) ### Why do defenders care about “publicly available” tools? Because public tools blur attribution but speed up operations. An attacker does not need custom malware if a well-known tunnel already does the job. That makes the campaign cheaper to run and sometimes harder to triage quickly, since defenders may see generic binaries rather than a neat family name tied to one actor. The important point is not whether EarthWorm is exotic. (unit42.paloaltonetworks.com) It is that the attackers used the firewall as a relay and foothold after exploitation. ### What else did the intruders do? The same Unit 42 brief said the attackers enumerated Active Directory using credentials likely obtained from the firewall, then systematically destroyed logs and other evidence of compromise. That combination tells you a lot. They were not testing a proof of concept. They were trying to learn the victim environment, expand access, and make incident response harder after the fact. (unit42.paloaltonetworks.com) ### Does this look like ordinary smash-and-grab activity? Not really. Palo Alto did not publicly pin the campaign on a named actor in the material surfaced here, but outside analysis said the tradecraft carried hallmarks associated with Chinese state-linked intrusion sets. The more grounded takeaway is simpler — the behavior fits a patient, post-exploitation playbook built around stealthy access and internal pivoting, not noisy ransomware deployment. (unit42.paloaltonetworks.com) ### So what should teams do first? Patch, but do not stop at patching. Palo Alto’s advisory shows fixed versions rolling out across supported PAN‑OS branches, with some releases available May 13 and others May 28. If the Captive Portal is enabled, restrict access to trusted internal IPs until fixed code is in place. Then hunt for the second-stage signs — tunneling binaries, suspicious outbound proxy behavior, AD discovery from the firewall, and missing or wiped logs. (securityweek.com) ### Bottom line? The new detail changes the story from “critical firewall bug” to “critical firewall bug already being used as a launchpad.” EarthWorm and ReverseSocks5 matter because they show intent after initial access — stay resident, tunnel through the edge, and reach deeper into the network. (unit42.paloaltonetworks.com) (security.paloaltonetworks.com)