Bg ShapeBg Shape
THREAT INTELLIGENCE

Palo Alto Networks Security Advisories

Affected Environment

PAN-OS versions 10.2, 11.1, 11.2, and 12.1 across Palo Alto Networks hardware and virtual firewalls, Cloud NGFW, Prisma Access, Prisma Access Agent on Windows and iOS, and Cortex XDR Broker VM.

Threat Overview

Palo Alto Networks has disclosed multiple vulnerabilities affecting PAN-OS and related services. The advisory set covers buffer overflow flaws in the User-ID Terminal Server Agent, denial of service vulnerabilities in network traffic processing, a command injection flaw in the CLI, and lower-severity issues including SSRF, XML injection, authentication bypass, file deletion, information disclosure, IPv6 policy bypass, and cross-site scripting. Palo Alto Networks has released fixes for all affected products and has stated it is not aware of any malicious exploitation at time of publication. Prisma Browser also received its monthly Chromium security update.

Exposure Timeline

Advisories published 9 July 2026. No active exploitation confirmed. Fixes available for all affected versions. Standard remediation window of ten working days applies; organisations running affected versions should prioritise the highest-severity issues first.

Attack Surface

Network-accessible PAN-OS management interfaces, dataplane interfaces, and Large Scale VPN (LSVPN) satellite endpoints. The buffer overflow and DoS vulnerabilities are reachable by unauthenticated attackers with network access. Command injection requires authenticated administrator access. DLP bypass and certificate validation issues require local or on-path access.

Technical Root Cause

CVE-2026-0288 (CVSS 7.2) - Multiple buffer overflow vulnerabilities in the User-ID Terminal Server Agent (TSA) allow an unauthenticated attacker with network access to cause a DoS condition or potentially execute arbitrary code via specially crafted network traffic.

CVE-2026-0287 (CVSS 6.6) - Multiple DoS vulnerabilities in PAN-OS network traffic processing allow an unauthenticated attacker to force the firewall into maintenance mode via repeated specially crafted traffic to a dataplane interface.

CVE-2026-0286 (CVSS 6.0) - A command injection vulnerability in the PAN-OS management plane CLI allows an authenticated administrator to execute arbitrary OS commands as root.

CVE-2026-0285 (CVSS 4.7) - An SSRF vulnerability in the PAN-OS management web interface allows an authenticated administrator to make unauthorised requests from the firewall to internal services.

CVE-2026-0284 (CVSS 4.7) - An XML injection vulnerability in LSVPN allows an unauthenticated attacker with network access to inject malicious XML content, potentially leading to information disclosure or corruption of internal LSVPN satellite data.

CVE-2026-0283 (CVSS 4.5) - An authentication bypass in LSVPN allows an attacker with network access to bypass security restrictions and establish an unauthorised site-to-site VPN connection.

CVE-2026-0282 (CVSS 2.7) - A file deletion vulnerability in the management web interface allows an unauthenticated attacker with access to delete files from a temporary directory.

CVE-2026-0281 (CVSS 2.1) - An information disclosure vulnerability in the management web interface allows an unauthenticated attacker to obtain web session tokens if a legitimate user first clicks a malicious link.

CVE-2026-0280 (CVSS 1.7) - An IPv6 packet processing vulnerability allows an unauthenticated attacker to bypass firewall security policy enforcement, allowing otherwise blocked traffic to reach protected services.

CVE-2026-0279 (CVSS 1.3) - Multiple XSS vulnerabilities in User-ID Authentication Portal, GlobalProtect gateway/portal, and Clientless VPN allow a malicious unauthenticated user to store or execute malicious JavaScript.

Operational Impact

The buffer overflow (CVE-2026-0288) represents the highest risk, with potential for unauthenticated remote code execution on TSA components in addition to DoS. The DoS vulnerabilities (CVE-2026-0287) could force firewalls into maintenance mode, disrupting network security enforcement. The command injection flaw (CVE-2026-0286) could allow a compromised admin account to gain root OS access. The IPv6 bypass (CVE-2026-0280) could allow unauthorised traffic to reach protected services silently. The DLP bypass on Windows (CVE-2026-0278, CVSS 5.8) and certificate validation flaw on iOS (CVE-2026-0277, CVSS 5.7) affect Prisma Access Agent deployments.

Strategic Impact

Risk is rated Medium for large and medium government and business entities, and Low for small business entities. No active exploitation has been confirmed. The breadth of the advisory set reflects routine quarterly patching rather than an emergency response. Organisations running unpatched PAN-OS versions across a large estate should treat the buffer overflow and DoS vulnerabilities as the priority remediation items.

Required Mitigation

Apply patches to the fixed versions listed below. Where possible, restrict external access to management interfaces at the network boundary and limit access to trusted hosts and networks only. Run non-administrative software as unprivileged users to reduce the impact of latent vulnerabilities.

PAN-OS 12.1: Upgrade to 12.1.4-h8, 12.1.7-h2, or 12.1.8 or later depending on current minor version.

PAN-OS 11.2: Upgrade to 11.2.4-h20, 11.2.7-h18, 11.2.10-h12, or 11.2.13 or later.

PAN-OS 11.1: Upgrade to 11.1.4-h35, 11.1.6-h35, 11.1.7-h8, 11.1.10-h30, 11.1.13-h9, or 11.1.16 or later.

PAN-OS 10.2: Upgrade to 10.2.7-h36, 10.2.10-h39, 10.2.13-h23, 10.2.16-h9, or 10.2.18-h8 or later.

Prisma Access 11.2: Upgrade to 11.2.7-h18 or later. Prisma Access 10.2: Upgrade to 10.2.10-h39 or later.

Prisma Access Agent (Windows): Upgrade to 26.2.1 or later. Prisma Access Agent (iOS): Upgrade to 26.2.1 or later.

Cortex XDR Broker VM: Upgrade to 31.0.58 or later, or enable automatic upgrades.

Cloud NGFW: No action required for most CVEs. For CVE-2026-0287, contact Palo Alto Networks support to schedule an on-demand upgrade.

Incident Response Guidance

Block external access to management interfaces at the network boundary unless explicitly required. Filter access to affected systems to trusted computers and networks only. Monitor for anomalous administrator CLI activity, unexpected outbound connections from firewall management planes, and any maintenance mode state changes. Ensure endpoint and network monitoring solutions are current to provide visibility into any exploitation attempts.

References

Palo Alto Networks Security Advisories: CVE-2026-0288, CVE-2026-0287, CVE-2026-0286, CVE-2026-0285, CVE-2026-0284, CVE-2026-0283, CVE-2026-0282, CVE-2026-0281, CVE-2026-0280, CVE-2026-0279, CVE-2026-0278, CVE-2026-0277, CVE-2026-0276, PAN-SA-2026-0010. All advisories available at security.paloaltonetworks.com.

Download the Full Report

Explore More of the Latest Threat Intelligence

Trusted by clients worldwide

Logo
Logo
Logo
Logo
Logo
Logo

Your 24/7 Security Partner

Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.

Awards Image
Awards Image
Awards Image
Awards Image
Awards Image
Awards Image