https://feed.craftedsignal.io/products/pan-os-12.1/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 13 May 2026 16:08:13 +0000https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0264-panos-rce/Wed, 13 May 2026 16:08:13 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-0264-panos-rce/CVE-2026-0264 is a heap-based buffer overflow vulnerability in Palo Alto Networks PAN-OS DNS proxy and DNS server features, allowing an unauthenticated attacker with network access to cause denial of service or potentially execute arbitrary code by sending crafted network traffic.A heap-based buffer overflow vulnerability, CVE-2026-0264, exists in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS software. An unauthenticated attacker with network access can exploit this vulnerability to cause a denial of service (DoS) condition on PAN-OS platforms (excluding Cloud NGFW and Prisma Access) or potentially achieve arbitrary code execution (ACE) on PA-Series hardware. The vulnerability affects PAN-OS versions 10.2, 11.1, 11.2, and 12.1. Specifically, it impacts devices where DNS Proxy is enabled with a network interface attached or when the DNS server configured on the NGFW uses a compromised public untrusted IP address. The risk is heightened when the interface is exposed to an untrusted network. Palo Alto Networks is not aware of any malicious exploitation of this issue at the time of disclosure.

Attack Chain

1. Attacker identifies a vulnerable PAN-OS firewall with DNS Proxy enabled and exposed to an untrusted network.
2. The attacker crafts a malicious DNS query designed to trigger a heap-based buffer overflow.
3. The attacker sends the specially crafted DNS query to the vulnerable PAN-OS firewall.
4. The PAN-OS firewall’s DNS proxy processes the malicious DNS query.
5. The buffer overflow occurs during the processing of the query in the DNS proxy or DNS server feature.
6. On PA-Series hardware firewalls, the overflow allows the attacker to overwrite memory and inject arbitrary code.
7. The injected code is executed, granting the attacker control over the firewall.
8. Alternatively, on VM-Series, the buffer overflow leads to a denial-of-service condition, disrupting the firewall’s operation.

Impact

Successful exploitation of CVE-2026-0264 can lead to a denial-of-service condition on vulnerable PAN-OS firewalls, impacting network availability and security. On PA-Series hardware firewalls, successful exploitation could allow an unauthenticated attacker to achieve arbitrary code execution, potentially leading to full system compromise and unauthorized access to sensitive data. The vendor is not aware of active exploitation as of the date of disclosure.

Recommendation

• Upgrade PAN-OS to a fixed version as specified in the Palo Alto Networks advisory for CVE-2026-0264: 12.1.7, 12.1.4-h5, 11.2.12, 11.2.10-h6, 11.2.7-h13, 11.2.4-h17, 11.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, 11.1.4-h33, 10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, or 10.2.7-h34.
• As a workaround, disassociate DNS Proxy from externally accessible interfaces or disable the DNS Proxy feature (Network > DNS Proxy), and configure DNS server with a RFC1918 or a public trusted IP address.
• Enable Threat ID 510027 with Applications and Threats content version 9100-10044 or later to block attacks targeting this vulnerability if you have a Threat Prevention subscription.
• Monitor network traffic for suspicious DNS queries, particularly those with unusual length or structure, which may indicate exploitation attempts.

]]>highthreatcveheap-overflowrcedosnetworkhttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-0263-panos-rce/Wed, 13 May 2026 16:07:03 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-0263-panos-rce/A buffer overflow vulnerability in Palo Alto Networks PAN-OS IKEv2 processing (CVE-2026-0263) allows unauthenticated network-based attackers to execute arbitrary code with elevated privileges or cause a denial of service, affecting versions 12.1, 11.2, and 11.1 when configured with Post Quantum Cryptography (PQC).CVE-2026-0263 is a buffer overflow vulnerability affecting Palo Alto Networks PAN-OS software. This vulnerability resides in the processing of IKEv2 when Post Quantum Cryptography (PQC) is enabled. An unauthenticated, network-based attacker can exploit this flaw to achieve remote code execution (RCE) with elevated privileges on the firewall or trigger a denial-of-service (DoS) condition. The vulnerability impacts PAN-OS versions 12.1 prior to 12.1.4-h5 and 12.1.7, 11.2 prior to 11.2.4-h17, 11.2.7-h13, 11.2.10-h6 and 11.2.12, and 11.1 prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5 and 11.1.15. Exploitation requires the use of IKEv2 VPN tunnels configured with PQC. Panorama, Cloud NGFW, and Prisma Access are not affected by this vulnerability.

Attack Chain

1. The attacker sends a crafted IKEv2 packet to a vulnerable PAN-OS firewall.
2. The firewall processes the malicious IKEv2 packet using the vulnerable IKEv2 processing module.
3. Due to the buffer overflow in the IKEv2 processing logic when PQC is enabled, the attacker’s payload overwrites adjacent memory regions.
4. The overwritten memory contains critical system code or data.
5. The attacker gains control of the execution flow by overwriting a function pointer or return address.
6. The attacker injects and executes arbitrary code with elevated privileges on the firewall.
7. Alternatively, the attacker causes a denial-of-service (DoS) condition by corrupting system data, leading to a crash.
8. The attacker achieves remote code execution or causes a denial of service on the affected firewall.

Impact

Successful exploitation of CVE-2026-0263 allows an unauthenticated attacker to execute arbitrary code with elevated privileges on the firewall. This can lead to complete system compromise, including data exfiltration, modification of firewall policies, and disruption of network services. Alternatively, the attacker can cause a denial-of-service (DoS) condition, impacting network availability and business operations.

Recommendation

• Upgrade PAN-OS to the fixed versions: 12.1.4-h5 or later, 12.1.7 or later, 11.2.4-h17 or later, 11.2.7-h13 or later, 11.2.10-h6 or later, 11.2.12 or later, 11.1.4-h33 or later, 11.1.6-h32 or later, 11.1.7-h6 or later, 11.1.10-h25 or later, 11.1.13-h5 or later, 11.1.15 or later, as detailed in the Palo Alto Networks advisory for CVE-2026-0263.
• If upgrading is not immediately possible, mitigate the vulnerability by configuring IKEv2 VPN tunnels only with NIST-approved Post Quantum Cryptography (PQC) ciphers, as mentioned in the advisory for CVE-2026-0263.
• Monitor network traffic for anomalous IKEv2 packets, especially those with unusual sizes or structures, using network intrusion detection systems (NIDS).

]]>highadvisoryrcedosikev2palo-alto-networksfirewallhttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-0256-panos-xss/Wed, 13 May 2026 16:06:36 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-0256-panos-xss/A stored cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS allows a malicious authenticated administrator to inject a JavaScript payload via the web interface, potentially impacting other administrators.CVE-2026-0256 is a stored cross-site scripting (XSS) vulnerability affecting Palo Alto Networks PAN-OS software. This vulnerability resides in the web interface and enables a malicious, authenticated administrator to inject and store a JavaScript payload. The injected payload can then be executed in the context of other administrators who interact with the affected part of the web interface. This issue impacts PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series). Cloud NGFW and Prisma Access are not affected. Palo Alto Networks is not aware of any malicious exploitation of this issue.

Attack Chain

1. An attacker gains high-privileged administrative access to a vulnerable PAN-OS device.
2. The attacker crafts a malicious JavaScript payload.
3. The attacker authenticates to the PAN-OS web interface.
4. The attacker navigates to a vulnerable section of the web interface that allows storing data.
5. The attacker injects the crafted JavaScript payload into a field that is saved to the PAN-OS configuration.
6. Another administrator authenticates to the PAN-OS web interface.
7. The second administrator navigates to the section of the web interface where the malicious JavaScript payload is stored.
8. The stored JavaScript payload executes within the second administrator’s browser session, potentially leading to session hijacking, credential theft, or other malicious actions.

Impact

Successful exploitation of this stored XSS vulnerability (CVE-2026-0256) allows a malicious administrator to execute arbitrary JavaScript code within the browser of other administrators. This could lead to the compromise of administrative accounts, unauthorized configuration changes, or the exfiltration of sensitive information. While the vulnerability requires high privileges to inject the payload, the impact on other administrators could be significant.

Recommendation

• Upgrade PAN-OS to a fixed version as specified in the Palo Alto Networks advisory to remediate CVE-2026-0256. Refer to the “Solution” section of the advisory for specific version recommendations.
• Customers with a Threat Prevention subscription can enable Threat ID 510020 (from Applications and Threats content version 9100-10044 and later) to block attacks for this vulnerability, as mentioned in the “Workarounds and Mitigations” section.
• Implement the mitigations described in the advisory, such as routing incoming traffic for the MGT port through a DP port, replacing the Certificate for Inbound Traffic Management, decrypting inbound traffic to the management interface, and enabling threat prevention on the inbound traffic to management services.

]]>mediumadvisoryxsscveweb-interface