Skip to content
Threat Feed
medium advisory

CVE-2026-0244 Prisma SD-WAN ION Improper Certificate Validation Vulnerability

CVE-2026-0244 is an improper certificate validation vulnerability in Palo Alto Networks Prisma SD-WAN ION that allows a man-in-the-middle (MitM) attacker to impersonate the controller.

CVE-2026-0244 is an improper certificate validation vulnerability affecting Palo Alto Networks Prisma SD-WAN ION devices. This vulnerability allows a man-in-the-middle (MitM) attacker to impersonate the Prisma SD-WAN controller. Specifically, Prisma SD-WAN ION versions before 6.5.3-b15, 6.4.3-b8, and 6.3.6-b10 are affected. Palo Alto Networks internally discovered this vulnerability. Successful exploitation could allow an attacker to intercept and modify communications between the SD-WAN ION device and the controller, potentially leading to unauthorized access or control of the network.

Attack Chain

  1. An attacker positions themselves in a man-in-the-middle (MitM) position between a Prisma SD-WAN ION device and the controller. This could be achieved through ARP spoofing or DNS poisoning.
  2. The SD-WAN ION device attempts to establish a secure connection with the controller.
  3. The attacker intercepts the TLS handshake.
  4. Due to the improper certificate validation, the attacker presents a fraudulent certificate to the SD-WAN ION device.
  5. The SD-WAN ION device, failing to properly validate the certificate, trusts the attacker’s certificate.
  6. A secure connection is established between the SD-WAN ION device and the attacker, who is impersonating the controller.
  7. The attacker intercepts and potentially modifies communications between the SD-WAN ION device and the real controller.
  8. The attacker could gain unauthorized access to the network or control the SD-WAN ION device.

Impact

Successful exploitation of CVE-2026-0244 allows an attacker to perform man-in-the-middle attacks and impersonate the Prisma SD-WAN controller. This can lead to unauthorized access, data interception, or manipulation of network traffic. The vulnerability affects Prisma SD-WAN ION devices running versions prior to 6.5.3-b15, 6.4.3-b8, and 6.3.6-b10. While Palo Alto Networks is not aware of any malicious exploitation, the potential impact is significant, affecting confidentiality and integrity.

Recommendation

  • Upgrade Prisma SD-WAN ION to version 6.5.3-b15 or later if running a version between 6.5.1 and 6.5.3, as indicated in the advisory.
  • Upgrade Prisma SD-WAN ION to version 6.4.3-b8 or later if running a version between 6.4.1 and 6.4.3, as indicated in the advisory.
  • Upgrade Prisma SD-WAN ION to version 6.3.6-b10 or later if running a version between 6.3.1 and 6.3.6, as indicated in the advisory.
  • For Prisma SD-WAN ION 6.2.4 on-prem, upgrade to version 6.2.4-b12.

Detection coverage 2

Detect CVE-2026-0244 Exploitation Attempt - TLS Certificate Validation Error

medium

Detects potential exploitation attempts of CVE-2026-0244 by monitoring for TLS certificate validation errors indicative of a man-in-the-middle attack against Prisma SD-WAN ION devices.

sigma tactics: initial_access techniques: T1566 sources: firewall, paloalto

Detect CVE-2026-0244 Related - Abnormal Prisma SD-WAN TLS Handshake Size

low

Detects potential exploitation attempts of CVE-2026-0244 by monitoring for abnormal TLS handshake sizes which may be indicative of a MitM attack against Prisma SD-WAN ION devices.

sigma tactics: initial_access techniques: T1566 sources: network_connection, paloalto

Detection queries are available on the platform. Get full rules →