{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/pan-os-11.2--11.2.13/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PAN-OS 12.1 (\u003c 12.1.4-h8)","PAN-OS 12.1 (\u003c 12.1.7-h2)","PAN-OS 12.1 (\u003c 12.1.8)","PAN-OS 11.2 (\u003c 11.2.4-h20)","PAN-OS 11.2 (\u003c 11.2.7-h18)","PAN-OS 11.2 (\u003c 11.2.10-h12)","PAN-OS 11.2 (\u003c 11.2.13)","PAN-OS 11.1 (\u003c 11.1.4-h35)","PAN-OS 11.1 (\u003c 11.1.6-h35)","PAN-OS 11.1 (\u003c 11.1.7-h8)","PAN-OS 11.1 (\u003c 11.1.10-h30)","PAN-OS 11.1 (\u003c 11.1.13-h9)","PAN-OS 11.1 (\u003c 11.1.16)","PAN-OS 10.2 (\u003c 10.2.7-h36)","PAN-OS 10.2 (\u003c 10.2.10-h39)","PAN-OS 10.2 (\u003c 10.2.13-h23)","PAN-OS 10.2 (\u003c 10.2.16-h9)","PAN-OS 10.2 (\u003c 10.2.18-h8)"],"_cs_severities":["medium"],"_cs_tags":["vulnerability","xml-injection","pan-os","network-device"],"_cs_type":"threat","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eAn XML injection vulnerability (CVE-2026-0284) exists in the Large Scale VPN (LSVPN) functionality of Palo Alto Networks PAN-OS software, allowing an unauthenticated attacker with network access to inject malicious XML content. This can lead to information disclosure or corruption of internal LSVPN satellite data. The vulnerability, discovered internally and published on July 8, 2026, impacts firewalls running specific versions of PAN-OS 10.2.x, 11.1.x, 11.2.x, and 12.1.x. Exposure is limited to devices actively using LSVPN with configured satellites. Palo Alto Networks is currently unaware of any malicious exploitation in the wild, but the low attack complexity and lack of user interaction make this a significant concern for vulnerable deployments, necessitating prompt patching to mitigate potential data compromise or service disruption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker gains network access to a vulnerable Palo Alto Networks PAN-OS firewall running LSVPN with configured satellites.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the LSVPN functionality exposed through GlobalProtect portals, which is susceptible to XML injection.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a specialized network request containing malicious XML content designed for injection into the LSVPN communication protocol.\u003c/li\u003e\n\u003cli\u003eThis crafted XML payload is transmitted to the vulnerable PAN-OS device's LSVPN interface via the network.\u003c/li\u003e\n\u003cli\u003eDue to the XML injection vulnerability (CVE-2026-0284), the PAN-OS firewall incorrectly parses and processes the attacker's malicious XML.\u003c/li\u003e\n\u003cli\u003eThe injected XML leads to the unauthorized disclosure of sensitive internal LSVPN satellite configuration data from the firewall.\u003c/li\u003e\n\u003cli\u003eAlternatively, the injected XML could result in the corruption of critical internal LSVPN satellite data, impacting the integrity and availability of VPN operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf successfully exploited, this vulnerability allows an unauthenticated attacker with network access to achieve information disclosure or corruption of internal LSVPN satellite data. While Palo Alto Networks reports no awareness of in-the-wild exploitation, the potential for unauthorized access to sensitive VPN configuration details or disruption of VPN services due to data corruption could severely impact an organization's network security and availability. The vulnerability has a CVSSv4 score of 7.8 (MEDIUM), with a high subsequent confidentiality impact, indicating that critical data could be exposed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade affected Palo Alto Networks PAN-OS firewalls to the fixed versions provided for PAN-OS 10.2, 11.1, 11.2, and 12.1.\u003c/li\u003e\n\u003cli\u003eEnsure that Threat Prevention subscription customers enable Threat ID 510031 (from Applications and Threats content version 9122-10145 and later) and apply a vulnerability protection security profile to your GlobalProtect interface.\u003c/li\u003e\n\u003cli\u003eCheck for LSVPN satellite configuration on your PAN-OS firewalls by running \u003ccode\u003eshow config running | match satellite\u003c/code\u003e on the CLI to determine exposure to CVE-2026-0284.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T16:17:42Z","date_published":"2026-07-08T16:17:42Z","id":"https://feed.craftedsignal.io/briefs/2026-07-pan-os-lsvpn-xml-injection/","summary":"An XML injection vulnerability (CVE-2026-0284) in the Large Scale VPN (LSVPN) functionality of Palo Alto Networks PAN-OS software allows an unauthenticated attacker with network access to inject malicious XML content, potentially leading to information disclosure or corruption of internal LSVPN satellite data.","title":"CVE-2026-0284 PAN-OS: XML Injection Vulnerability in Large Scale VPN (LSVPN)","url":"https://feed.craftedsignal.io/briefs/2026-07-pan-os-lsvpn-xml-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - PAN-OS 11.2 (\u003c 11.2.13)","version":"https://jsonfeed.org/version/1.1"}