{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cloud-ngfw/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cloud NGFW","PAN-OS 12.1","PAN-OS 11.2","PAN-OS 11.1","PAN-OS 10.2","Prisma Access 11.2.0","Prisma Access 10.2.0"],"_cs_severities":["high"],"_cs_tags":["network","vulnerability","cve","palo-alto-networks","denial-of-service","remote-code-execution"],"_cs_type":"threat","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003ePalo Alto Networks released an advisory regarding CVE-2026-0288, a set of multiple buffer overflow vulnerabilities present in the User-ID Terminal Server Agent (TSA) component of its PAN-OS software, Cloud NGFW, and Prisma Access products. These vulnerabilities allow an unauthenticated attacker, with direct network access to the affected device, to trigger either a denial of service (DoS) condition or, in more severe cases, execute arbitrary code. The issue primarily impacts devices where the TSA is configured and accessible from untrusted networks, emphasizing the importance of adhering to network segmentation best practices. While Palo Alto Networks is not aware of any in-the-wild exploitation, the potential for service disruption or system compromise makes this a significant concern for organizations utilizing vulnerable PAN-OS versions across their security infrastructure. The advisory was published on July 8, 2026, urging immediate attention to patching and mitigation steps.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker gains network access to a vulnerable Palo Alto Networks PAN-OS device, Cloud NGFW, or Prisma Access instance.\u003c/li\u003e\n\u003cli\u003eThe target device or instance has the User-ID Terminal Server Agent (TSA) component configured and exposed, potentially to untrusted networks.\u003c/li\u003e\n\u003cli\u003eThe attacker sends specially crafted network traffic designed to exploit memory handling flaws to the exposed TSA component.\u003c/li\u003e\n\u003cli\u003eThis malicious traffic specifically targets multiple buffer overflow vulnerabilities (CVE-2026-0288) within the TSA's processing functions.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation of these vulnerabilities leads to memory corruption within the TSA process.\u003c/li\u003e\n\u003cli\u003eThe memory corruption causes the TSA component to crash, resulting in a denial of service (DoS) condition on the affected device or instance.\u003c/li\u003e\n\u003cli\u003eIn scenarios where the buffer overflows are precisely controlled, the attacker could potentially achieve arbitrary code execution, granting them control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0288 can lead to a critical denial of service (DoS) condition, rendering the affected Palo Alto Networks PAN-OS device, Cloud NGFW, or Prisma Access instance inoperable. This can disrupt network traffic processing, user identification, and overall security enforcement, leading to significant operational downtime and potential security gaps. In the worst-case scenario, the ability to execute arbitrary code could allow an attacker to gain complete control over the device, facilitating further network penetration, data exfiltration, or installation of persistent backdoors. While no specific victim numbers or targeted sectors are publicly known as of the disclosure, any organization using vulnerable Palo Alto Networks products with an exposed User-ID Terminal Server Agent is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch CVE-2026-0288 by upgrading affected Palo Alto Networks PAN-OS installations to the recommended versions:\u003c/li\u003e\n\u003cli\u003ePAN-OS 12.1: Upgrade to 12.1.4-h8, 12.1.7-h2, 12.1.8 or later.\u003c/li\u003e\n\u003cli\u003ePAN-OS 11.2: Upgrade to 11.2.4-h20, 11.2.7-h18, 11.2.10-h12, 11.2.13 or later.\u003c/li\u003e\n\u003cli\u003ePAN-OS 11.1: Upgrade to 11.1.4-h35, 11.1.6-h35, 11.1.7-h8, 11.1.10-h30, 11.1.13-h9, 11.1.16 or later.\u003c/li\u003e\n\u003cli\u003ePAN-OS 10.2: Upgrade to 10.2.7-h36, 10.2.10-h39, 10.2.13-h23, 10.2.16-h9, 10.2.18-h8 or later.\u003c/li\u003e\n\u003cli\u003ePrisma Access: Await scheduled maintenance or contact Palo Alto Networks Support for an on-demand upgrade if running affected versions like 11.2.0 \u0026lt; 11.2.7-h18 or 10.2.0 \u0026lt; 10.2.10-h39.\u003c/li\u003e\n\u003cli\u003eImplement the recommended mitigation for CVE-2026-0288 by restricting User-ID Terminal Server Agent (TSA) connectivity to only trusted internal IP addresses, preventing its exposure to the internet or untrusted networks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T16:12:23Z","date_published":"2026-07-08T16:12:23Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-0288-pan-os-buffer-overflow/","summary":"Palo Alto Networks has disclosed multiple buffer overflow vulnerabilities (CVE-2026-0288) in their PAN-OS User-ID Terminal Server Agent (TSA) component, which an unauthenticated attacker with network access can exploit by sending specially crafted network traffic to cause a denial of service (DoS) or potentially achieve arbitrary code execution, affecting various versions of PAN-OS, Cloud NGFW, and Prisma Access if the TSA is exposed to untrusted networks.","title":"CVE-2026-0288 PAN-OS: Buffer Overflow Vulnerabilities in User-ID Terminal Server Agent","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-0288-pan-os-buffer-overflow/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PAN-OS 12.1","PAN-OS 11.2","PAN-OS 11.1","PAN-OS 10.2","Cloud NGFW","Prisma Access 11.2.0","Prisma Access 10.2.0"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","network","firewall","palo-alto-networks"],"_cs_type":"threat","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003ePalo Alto Networks has disclosed multiple denial of service vulnerabilities, tracked as CVE-2026-0287, affecting various versions of its PAN-OS® software, Cloud NGFW, and Prisma Access products. An unauthenticated attacker with network access can trigger a denial of service (DoS) condition by sending specially crafted network traffic to or through a vulnerable dataplane interface. Repeated exploitation of this vulnerability can force the firewall into maintenance mode, disrupting network traffic and service availability. While Cloud NGFW and Prisma Access have built-in resilience, they are still susceptible. This vulnerability, discovered internally, carries a CVSSv4 score of 8.7 (High) and requires immediate patching for affected on-premises PAN-OS installations. Palo Alto Networks is not aware of any in-the-wild exploitation at this time.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker gains network access to a vulnerable Palo Alto Networks PAN-OS dataplane interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts and sends specially crafted network traffic designed to exploit CVE-2026-0287.\u003c/li\u003e\n\u003cli\u003eThe vulnerable PAN-OS device processes this malicious traffic through its network traffic processing component.\u003c/li\u003e\n\u003cli\u003eThe specially crafted traffic triggers a denial of service condition within the firewall's operating system.\u003c/li\u003e\n\u003cli\u003eThe DoS condition disrupts the firewall's ability to process legitimate network traffic.\u003c/li\u003e\n\u003cli\u003eRepeated attempts by the attacker to exploit the vulnerability cause the firewall to enter maintenance mode, completely interrupting network availability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0287 leads to a denial of service condition, severely degrading or completely interrupting network traffic processing through the affected Palo Alto Networks firewall. If exploited repeatedly, the firewall enters maintenance mode, rendering it inoperable and causing a full network outage. While Cloud NGFW and Prisma Access products have some built-in resilience, they are not immune, potentially leading to service disruptions for cloud-based network security. This vulnerability impacts organizations relying on these firewalls for network segmentation, security policies, and internet connectivity, resulting in significant operational downtime and potential loss of business continuity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching all affected Palo Alto Networks PAN-OS installations to the versions specified in the security advisory to remediate CVE-2026-0287.\u003c/li\u003e\n\u003cli\u003eFor Cloud NGFW and Prisma Access customers, contact Palo Alto Networks Support to schedule an on-demand software upgrade if a more immediate patch is required prior to the next scheduled maintenance cycle as per the CVE-2026-0287 advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T16:07:00Z","date_published":"2026-07-08T16:07:00Z","id":"https://feed.craftedsignal.io/briefs/2026-07-pan-os-dos-cve-2026-0287/","summary":"Multiple denial of service vulnerabilities, tracked as CVE-2026-0287, in Palo Alto Networks PAN-OS software allow an unauthenticated attacker to cause a DoS condition by sending specially crafted network traffic, potentially forcing the firewall into maintenance mode.","title":"CVE-2026-0287 PAN-OS: Denial of Service Vulnerabilities in Network Traffic Processing","url":"https://feed.craftedsignal.io/briefs/2026-07-pan-os-dos-cve-2026-0287/"}],"language":"en","title":"CraftedSignal Threat Feed - Cloud NGFW","version":"https://jsonfeed.org/version/1.1"}