CL-STA-1132
Nation-state Dormant
- Mentions
- 2
- First seen
- 06 May 2026
- Last seen
- 07 May 2026
Relevant to you · Affects your stack
- Technology:
- Microsoft Remote Desktop GatewaySiemens TIA Portal
- Threat focus:
- espionage / apt
- Sector / region:
- Manufacturing
Origin
Unattributed
Profile
CL-STA-1132 is a threat actor exploiting zero-day vulnerabilities in Palo Alto Networks PAN-OS. Recent reporting indicates exploitation of a flaw in the Captive Portal and a critical buffer overflow in the User-ID Authentication Portal to achieve unauthenticated remote code execution. The group targets systems running PAN-OS, likely for espionage or network compromise. Activities include exploitation of CVE-2026-0300.
Affected vendors
Palo Alto Networks
Targeted sectors
Information Technology
How they operate (MITRE tactics)
Reconnaissance
Initial Access
Privilege Escalation
Discovery
Command and Control
Recommended mitigations
Derived from MITRE ATT&CK, mapped to this actor's techniques.
- M1016 Vulnerability Scanning
- M1019 Threat Intelligence Program
- M1020 SSL/TLS Inspection
- M1026 Privileged Account Management
- M1030 Network Segmentation
- M1031 Network Intrusion Prevention
- M1035 Limit Access to Resource Over Network
- M1037 Filter Network Traffic
- M1038 Execution Prevention
- M1048 Application Isolation and Sandboxing
- M1050 Exploit Protection
- M1051 Update Software
- M1056 Pre-compromise
Linked CVEs
- CVE-2026-0300 KEV CVSS 9.8 EPSS 5%
Related actors
Share a CVE, technique or malware with this actor.