<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cloud NGFW - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/cloud-ngfw/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 16:12:23 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/cloud-ngfw/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-0288 PAN-OS: Buffer Overflow Vulnerabilities in User-ID Terminal Server Agent</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-0288-pan-os-buffer-overflow/</link><pubDate>Wed, 08 Jul 2026 16:12:23 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-0288-pan-os-buffer-overflow/</guid><description>Palo Alto Networks has disclosed multiple buffer overflow vulnerabilities (CVE-2026-0288) in their PAN-OS User-ID Terminal Server Agent (TSA) component, which an unauthenticated attacker with network access can exploit by sending specially crafted network traffic to cause a denial of service (DoS) or potentially achieve arbitrary code execution, affecting various versions of PAN-OS, Cloud NGFW, and Prisma Access if the TSA is exposed to untrusted networks.</description><content:encoded><![CDATA[<p>Palo Alto Networks released an advisory regarding CVE-2026-0288, a set of multiple buffer overflow vulnerabilities present in the User-ID Terminal Server Agent (TSA) component of its PAN-OS software, Cloud NGFW, and Prisma Access products. These vulnerabilities allow an unauthenticated attacker, with direct network access to the affected device, to trigger either a denial of service (DoS) condition or, in more severe cases, execute arbitrary code. The issue primarily impacts devices where the TSA is configured and accessible from untrusted networks, emphasizing the importance of adhering to network segmentation best practices. While Palo Alto Networks is not aware of any in-the-wild exploitation, the potential for service disruption or system compromise makes this a significant concern for organizations utilizing vulnerable PAN-OS versions across their security infrastructure. The advisory was published on July 8, 2026, urging immediate attention to patching and mitigation steps.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker gains network access to a vulnerable Palo Alto Networks PAN-OS device, Cloud NGFW, or Prisma Access instance.</li>
<li>The target device or instance has the User-ID Terminal Server Agent (TSA) component configured and exposed, potentially to untrusted networks.</li>
<li>The attacker sends specially crafted network traffic designed to exploit memory handling flaws to the exposed TSA component.</li>
<li>This malicious traffic specifically targets multiple buffer overflow vulnerabilities (CVE-2026-0288) within the TSA's processing functions.</li>
<li>Successful exploitation of these vulnerabilities leads to memory corruption within the TSA process.</li>
<li>The memory corruption causes the TSA component to crash, resulting in a denial of service (DoS) condition on the affected device or instance.</li>
<li>In scenarios where the buffer overflows are precisely controlled, the attacker could potentially achieve arbitrary code execution, granting them control over the compromised system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-0288 can lead to a critical denial of service (DoS) condition, rendering the affected Palo Alto Networks PAN-OS device, Cloud NGFW, or Prisma Access instance inoperable. This can disrupt network traffic processing, user identification, and overall security enforcement, leading to significant operational downtime and potential security gaps. In the worst-case scenario, the ability to execute arbitrary code could allow an attacker to gain complete control over the device, facilitating further network penetration, data exfiltration, or installation of persistent backdoors. While no specific victim numbers or targeted sectors are publicly known as of the disclosure, any organization using vulnerable Palo Alto Networks products with an exposed User-ID Terminal Server Agent is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch CVE-2026-0288 by upgrading affected Palo Alto Networks PAN-OS installations to the recommended versions:</li>
<li>PAN-OS 12.1: Upgrade to 12.1.4-h8, 12.1.7-h2, 12.1.8 or later.</li>
<li>PAN-OS 11.2: Upgrade to 11.2.4-h20, 11.2.7-h18, 11.2.10-h12, 11.2.13 or later.</li>
<li>PAN-OS 11.1: Upgrade to 11.1.4-h35, 11.1.6-h35, 11.1.7-h8, 11.1.10-h30, 11.1.13-h9, 11.1.16 or later.</li>
<li>PAN-OS 10.2: Upgrade to 10.2.7-h36, 10.2.10-h39, 10.2.13-h23, 10.2.16-h9, 10.2.18-h8 or later.</li>
<li>Prisma Access: Await scheduled maintenance or contact Palo Alto Networks Support for an on-demand upgrade if running affected versions like 11.2.0 &lt; 11.2.7-h18 or 10.2.0 &lt; 10.2.10-h39.</li>
<li>Implement the recommended mitigation for CVE-2026-0288 by restricting User-ID Terminal Server Agent (TSA) connectivity to only trusted internal IP addresses, preventing its exposure to the internet or untrusted networks.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>network</category><category>vulnerability</category><category>cve</category><category>palo-alto-networks</category><category>denial-of-service</category><category>remote-code-execution</category></item><item><title>CVE-2026-0287 PAN-OS: Denial of Service Vulnerabilities in Network Traffic Processing</title><link>https://feed.craftedsignal.io/briefs/2026-07-pan-os-dos-cve-2026-0287/</link><pubDate>Wed, 08 Jul 2026 16:07:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-pan-os-dos-cve-2026-0287/</guid><description>Multiple denial of service vulnerabilities, tracked as CVE-2026-0287, in Palo Alto Networks PAN-OS software allow an unauthenticated attacker to cause a DoS condition by sending specially crafted network traffic, potentially forcing the firewall into maintenance mode.</description><content:encoded><![CDATA[<p>Palo Alto Networks has disclosed multiple denial of service vulnerabilities, tracked as CVE-2026-0287, affecting various versions of its PAN-OS® software, Cloud NGFW, and Prisma Access products. An unauthenticated attacker with network access can trigger a denial of service (DoS) condition by sending specially crafted network traffic to or through a vulnerable dataplane interface. Repeated exploitation of this vulnerability can force the firewall into maintenance mode, disrupting network traffic and service availability. While Cloud NGFW and Prisma Access have built-in resilience, they are still susceptible. This vulnerability, discovered internally, carries a CVSSv4 score of 8.7 (High) and requires immediate patching for affected on-premises PAN-OS installations. Palo Alto Networks is not aware of any in-the-wild exploitation at this time.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker gains network access to a vulnerable Palo Alto Networks PAN-OS dataplane interface.</li>
<li>The attacker crafts and sends specially crafted network traffic designed to exploit CVE-2026-0287.</li>
<li>The vulnerable PAN-OS device processes this malicious traffic through its network traffic processing component.</li>
<li>The specially crafted traffic triggers a denial of service condition within the firewall's operating system.</li>
<li>The DoS condition disrupts the firewall's ability to process legitimate network traffic.</li>
<li>Repeated attempts by the attacker to exploit the vulnerability cause the firewall to enter maintenance mode, completely interrupting network availability.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-0287 leads to a denial of service condition, severely degrading or completely interrupting network traffic processing through the affected Palo Alto Networks firewall. If exploited repeatedly, the firewall enters maintenance mode, rendering it inoperable and causing a full network outage. While Cloud NGFW and Prisma Access products have some built-in resilience, they are not immune, potentially leading to service disruptions for cloud-based network security. This vulnerability impacts organizations relying on these firewalls for network segmentation, security policies, and internet connectivity, resulting in significant operational downtime and potential loss of business continuity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Prioritize patching all affected Palo Alto Networks PAN-OS installations to the versions specified in the security advisory to remediate CVE-2026-0287.</li>
<li>For Cloud NGFW and Prisma Access customers, contact Palo Alto Networks Support to schedule an on-demand software upgrade if a more immediate patch is required prior to the next scheduled maintenance cycle as per the CVE-2026-0287 advisory.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">threat</category><category>denial-of-service</category><category>vulnerability</category><category>network</category><category>firewall</category><category>palo-alto-networks</category></item></channel></rss>