<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>PAN-OS 12.1 (&lt; 12.1.8) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/pan-os-12.1--12.1.8/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 16:17:42 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/pan-os-12.1--12.1.8/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-0284 PAN-OS: XML Injection Vulnerability in Large Scale VPN (LSVPN)</title><link>https://feed.craftedsignal.io/briefs/2026-07-pan-os-lsvpn-xml-injection/</link><pubDate>Wed, 08 Jul 2026 16:17:42 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-pan-os-lsvpn-xml-injection/</guid><description>An XML injection vulnerability (CVE-2026-0284) in the Large Scale VPN (LSVPN) functionality of Palo Alto Networks PAN-OS software allows an unauthenticated attacker with network access to inject malicious XML content, potentially leading to information disclosure or corruption of internal LSVPN satellite data.</description><content:encoded><![CDATA[<p>An XML injection vulnerability (CVE-2026-0284) exists in the Large Scale VPN (LSVPN) functionality of Palo Alto Networks PAN-OS software, allowing an unauthenticated attacker with network access to inject malicious XML content. This can lead to information disclosure or corruption of internal LSVPN satellite data. The vulnerability, discovered internally and published on July 8, 2026, impacts firewalls running specific versions of PAN-OS 10.2.x, 11.1.x, 11.2.x, and 12.1.x. Exposure is limited to devices actively using LSVPN with configured satellites. Palo Alto Networks is currently unaware of any malicious exploitation in the wild, but the low attack complexity and lack of user interaction make this a significant concern for vulnerable deployments, necessitating prompt patching to mitigate potential data compromise or service disruption.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker gains network access to a vulnerable Palo Alto Networks PAN-OS firewall running LSVPN with configured satellites.</li>
<li>The attacker identifies the LSVPN functionality exposed through GlobalProtect portals, which is susceptible to XML injection.</li>
<li>The attacker crafts a specialized network request containing malicious XML content designed for injection into the LSVPN communication protocol.</li>
<li>This crafted XML payload is transmitted to the vulnerable PAN-OS device's LSVPN interface via the network.</li>
<li>Due to the XML injection vulnerability (CVE-2026-0284), the PAN-OS firewall incorrectly parses and processes the attacker's malicious XML.</li>
<li>The injected XML leads to the unauthorized disclosure of sensitive internal LSVPN satellite configuration data from the firewall.</li>
<li>Alternatively, the injected XML could result in the corruption of critical internal LSVPN satellite data, impacting the integrity and availability of VPN operations.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>If successfully exploited, this vulnerability allows an unauthenticated attacker with network access to achieve information disclosure or corruption of internal LSVPN satellite data. While Palo Alto Networks reports no awareness of in-the-wild exploitation, the potential for unauthorized access to sensitive VPN configuration details or disruption of VPN services due to data corruption could severely impact an organization's network security and availability. The vulnerability has a CVSSv4 score of 7.8 (MEDIUM), with a high subsequent confidentiality impact, indicating that critical data could be exposed.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade affected Palo Alto Networks PAN-OS firewalls to the fixed versions provided for PAN-OS 10.2, 11.1, 11.2, and 12.1.</li>
<li>Ensure that Threat Prevention subscription customers enable Threat ID 510031 (from Applications and Threats content version 9122-10145 and later) and apply a vulnerability protection security profile to your GlobalProtect interface.</li>
<li>Check for LSVPN satellite configuration on your PAN-OS firewalls by running <code>show config running | match satellite</code> on the CLI to determine exposure to CVE-2026-0284.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">threat</category><category>vulnerability</category><category>xml-injection</category><category>pan-os</category><category>network-device</category></item></channel></rss>