{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/prisma-access-11.2.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cloud NGFW","PAN-OS 12.1","PAN-OS 11.2","PAN-OS 11.1","PAN-OS 10.2","Prisma Access 11.2.0","Prisma Access 10.2.0"],"_cs_severities":["high"],"_cs_tags":["network","vulnerability","cve","palo-alto-networks","denial-of-service","remote-code-execution"],"_cs_type":"threat","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003ePalo Alto Networks released an advisory regarding CVE-2026-0288, a set of multiple buffer overflow vulnerabilities present in the User-ID Terminal Server Agent (TSA) component of its PAN-OS software, Cloud NGFW, and Prisma Access products. These vulnerabilities allow an unauthenticated attacker, with direct network access to the affected device, to trigger either a denial of service (DoS) condition or, in more severe cases, execute arbitrary code. The issue primarily impacts devices where the TSA is configured and accessible from untrusted networks, emphasizing the importance of adhering to network segmentation best practices. While Palo Alto Networks is not aware of any in-the-wild exploitation, the potential for service disruption or system compromise makes this a significant concern for organizations utilizing vulnerable PAN-OS versions across their security infrastructure. The advisory was published on July 8, 2026, urging immediate attention to patching and mitigation steps.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker gains network access to a vulnerable Palo Alto Networks PAN-OS device, Cloud NGFW, or Prisma Access instance.\u003c/li\u003e\n\u003cli\u003eThe target device or instance has the User-ID Terminal Server Agent (TSA) component configured and exposed, potentially to untrusted networks.\u003c/li\u003e\n\u003cli\u003eThe attacker sends specially crafted network traffic designed to exploit memory handling flaws to the exposed TSA component.\u003c/li\u003e\n\u003cli\u003eThis malicious traffic specifically targets multiple buffer overflow vulnerabilities (CVE-2026-0288) within the TSA's processing functions.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation of these vulnerabilities leads to memory corruption within the TSA process.\u003c/li\u003e\n\u003cli\u003eThe memory corruption causes the TSA component to crash, resulting in a denial of service (DoS) condition on the affected device or instance.\u003c/li\u003e\n\u003cli\u003eIn scenarios where the buffer overflows are precisely controlled, the attacker could potentially achieve arbitrary code execution, granting them control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0288 can lead to a critical denial of service (DoS) condition, rendering the affected Palo Alto Networks PAN-OS device, Cloud NGFW, or Prisma Access instance inoperable. This can disrupt network traffic processing, user identification, and overall security enforcement, leading to significant operational downtime and potential security gaps. In the worst-case scenario, the ability to execute arbitrary code could allow an attacker to gain complete control over the device, facilitating further network penetration, data exfiltration, or installation of persistent backdoors. While no specific victim numbers or targeted sectors are publicly known as of the disclosure, any organization using vulnerable Palo Alto Networks products with an exposed User-ID Terminal Server Agent is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch CVE-2026-0288 by upgrading affected Palo Alto Networks PAN-OS installations to the recommended versions:\u003c/li\u003e\n\u003cli\u003ePAN-OS 12.1: Upgrade to 12.1.4-h8, 12.1.7-h2, 12.1.8 or later.\u003c/li\u003e\n\u003cli\u003ePAN-OS 11.2: Upgrade to 11.2.4-h20, 11.2.7-h18, 11.2.10-h12, 11.2.13 or later.\u003c/li\u003e\n\u003cli\u003ePAN-OS 11.1: Upgrade to 11.1.4-h35, 11.1.6-h35, 11.1.7-h8, 11.1.10-h30, 11.1.13-h9, 11.1.16 or later.\u003c/li\u003e\n\u003cli\u003ePAN-OS 10.2: Upgrade to 10.2.7-h36, 10.2.10-h39, 10.2.13-h23, 10.2.16-h9, 10.2.18-h8 or later.\u003c/li\u003e\n\u003cli\u003ePrisma Access: Await scheduled maintenance or contact Palo Alto Networks Support for an on-demand upgrade if running affected versions like 11.2.0 \u0026lt; 11.2.7-h18 or 10.2.0 \u0026lt; 10.2.10-h39.\u003c/li\u003e\n\u003cli\u003eImplement the recommended mitigation for CVE-2026-0288 by restricting User-ID Terminal Server Agent (TSA) connectivity to only trusted internal IP addresses, preventing its exposure to the internet or untrusted networks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T16:12:23Z","date_published":"2026-07-08T16:12:23Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-0288-pan-os-buffer-overflow/","summary":"Palo Alto Networks has disclosed multiple buffer overflow vulnerabilities (CVE-2026-0288) in their PAN-OS User-ID Terminal Server Agent (TSA) component, which an unauthenticated attacker with network access can exploit by sending specially crafted network traffic to cause a denial of service (DoS) or potentially achieve arbitrary code execution, affecting various versions of PAN-OS, Cloud NGFW, and Prisma Access if the TSA is exposed to untrusted networks.","title":"CVE-2026-0288 PAN-OS: Buffer Overflow Vulnerabilities in User-ID Terminal Server Agent","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-0288-pan-os-buffer-overflow/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PAN-OS 12.1","PAN-OS 11.2","PAN-OS 11.1","PAN-OS 10.2","Prisma Access 11.2.0","Prisma Access 10.2.0","PA-Series","VM-Series","Panorama"],"_cs_severities":["low"],"_cs_tags":["xss","vulnerability","firewall","network-device","web-application"],"_cs_type":"threat","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003ePalo Alto Networks has released an advisory concerning CVE-2026-0279, which identifies multiple low-severity cross-site scripting (XSS) vulnerabilities across various components of its PAN-OS software. These vulnerabilities specifically affect the User-ID™ Authentication Portal (also known as Captive Portal), GlobalProtect™ gateway/portal features, and Clientless VPN. An unauthenticated attacker could exploit these flaws to inject and store malicious JavaScript payloads, which would then execute in the context of a legitimate user's browser when they access the vulnerable component. The risk associated with this issue is significantly reduced by adhering to Palo Alto Networks' recommended best practices, which include restricting access to management interfaces and the User-ID Authentication Portal to only trusted internal IP addresses. Cloud NGFW products are not affected. Affected versions include PAN-OS 12.1 prior to 12.1.8, 11.2 prior to 11.2.13, 11.1 prior to 11.1.16, and all 10.2 versions, along with specific Prisma Access versions. No active exploitation has been reported.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification\u003c/strong\u003e: An unauthenticated attacker identifies a vulnerable input field or parameter within the User-ID Authentication Portal, GlobalProtect gateway/portal, or Clientless VPN of an exposed PAN-OS device.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Crafting\u003c/strong\u003e: The attacker constructs a malicious JavaScript payload designed to achieve an objective such as session hijacking, credential theft, or redirection to a malicious website.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Injection\u003c/strong\u003e: The crafted JavaScript payload is injected by the attacker into the identified vulnerable component through an unauthenticated network request.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistent Storage\u003c/strong\u003e: The PAN-OS application processes and stores the malicious payload, embedding it within the user-facing content of the vulnerable component.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVictim Interaction\u003c/strong\u003e: A legitimate user accesses the compromised PAN-OS component (e.g., logs into the User-ID Authentication Portal or uses a GlobalProtect feature).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eClient-Side Execution\u003c/strong\u003e: The injected malicious JavaScript is rendered and executed by the victim's web browser as part of the legitimate PAN-OS application interface.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Action\u003c/strong\u003e: The executed JavaScript performs its intended action, potentially leading to unauthorized access to the victim's session, exposure of sensitive information, or further client-side attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerabilities, categorized as low severity, primarily impact the confidentiality and integrity of users interacting with the affected PAN-OS portals and features. While no active exploitation has been reported, successful exploitation could lead to client-side attacks where an attacker executes malicious JavaScript within a victim's browser. This could result in session hijacking, allowing unauthorized access to the victim's user session, or credential theft if the script is designed to capture login information. The overall product confidentiality and integrity are rated as LOW, and availability is rated as NONE, indicating that the vulnerability does not directly compromise the firewall's core functions or lead to denial of service. The impact is minimized when the management interfaces and portal access are restricted to trusted internal networks, as per best practices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-0279 immediately by upgrading all affected PAN-OS devices and Prisma Access deployments to the specified fixed versions: PAN-OS 12.1.8 or later, PAN-OS 11.2.13 or later, PAN-OS 11.1.16 or later, or a supported fixed version for PAN-OS 10.2. Prisma Access 11.2 should be upgraded to 11.2.7-h18 or later, and Prisma Access 10.2 to 10.2.10-h39 or later.\u003c/li\u003e\n\u003cli\u003eImplement network access restrictions to the management interface and User-ID Authentication Portal according to Palo Alto Networks' best practice deployment guidelines, ensuring access is limited to only trusted internal IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T16:10:47Z","date_published":"2026-07-08T16:10:47Z","id":"https://feed.craftedsignal.io/briefs/2026-07-pan-os-xss/","summary":"Palo Alto Networks has disclosed multiple low-severity cross-site scripting (XSS) vulnerabilities, CVE-2026-0279, in PAN-OS software affecting the User-ID Authentication Portal, GlobalProtect gateway/portal features, and Clientless VPN, which could allow a malicious unauthenticated user to inject and execute JavaScript in a victim's browser.","title":"CVE-2026-0279 PAN-OS: Multiple Cross-Site Scripting (XSS) Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-07-pan-os-xss/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PAN-OS 12.1","PAN-OS 11.2","PAN-OS 11.1","PAN-OS 10.2","Cloud NGFW","Prisma Access 11.2.0","Prisma Access 10.2.0"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","network","firewall","palo-alto-networks"],"_cs_type":"threat","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003ePalo Alto Networks has disclosed multiple denial of service vulnerabilities, tracked as CVE-2026-0287, affecting various versions of its PAN-OS® software, Cloud NGFW, and Prisma Access products. An unauthenticated attacker with network access can trigger a denial of service (DoS) condition by sending specially crafted network traffic to or through a vulnerable dataplane interface. Repeated exploitation of this vulnerability can force the firewall into maintenance mode, disrupting network traffic and service availability. While Cloud NGFW and Prisma Access have built-in resilience, they are still susceptible. This vulnerability, discovered internally, carries a CVSSv4 score of 8.7 (High) and requires immediate patching for affected on-premises PAN-OS installations. Palo Alto Networks is not aware of any in-the-wild exploitation at this time.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker gains network access to a vulnerable Palo Alto Networks PAN-OS dataplane interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts and sends specially crafted network traffic designed to exploit CVE-2026-0287.\u003c/li\u003e\n\u003cli\u003eThe vulnerable PAN-OS device processes this malicious traffic through its network traffic processing component.\u003c/li\u003e\n\u003cli\u003eThe specially crafted traffic triggers a denial of service condition within the firewall's operating system.\u003c/li\u003e\n\u003cli\u003eThe DoS condition disrupts the firewall's ability to process legitimate network traffic.\u003c/li\u003e\n\u003cli\u003eRepeated attempts by the attacker to exploit the vulnerability cause the firewall to enter maintenance mode, completely interrupting network availability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0287 leads to a denial of service condition, severely degrading or completely interrupting network traffic processing through the affected Palo Alto Networks firewall. If exploited repeatedly, the firewall enters maintenance mode, rendering it inoperable and causing a full network outage. While Cloud NGFW and Prisma Access products have some built-in resilience, they are not immune, potentially leading to service disruptions for cloud-based network security. This vulnerability impacts organizations relying on these firewalls for network segmentation, security policies, and internet connectivity, resulting in significant operational downtime and potential loss of business continuity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching all affected Palo Alto Networks PAN-OS installations to the versions specified in the security advisory to remediate CVE-2026-0287.\u003c/li\u003e\n\u003cli\u003eFor Cloud NGFW and Prisma Access customers, contact Palo Alto Networks Support to schedule an on-demand software upgrade if a more immediate patch is required prior to the next scheduled maintenance cycle as per the CVE-2026-0287 advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T16:07:00Z","date_published":"2026-07-08T16:07:00Z","id":"https://feed.craftedsignal.io/briefs/2026-07-pan-os-dos-cve-2026-0287/","summary":"Multiple denial of service vulnerabilities, tracked as CVE-2026-0287, in Palo Alto Networks PAN-OS software allow an unauthenticated attacker to cause a DoS condition by sending specially crafted network traffic, potentially forcing the firewall into maintenance mode.","title":"CVE-2026-0287 PAN-OS: Denial of Service Vulnerabilities in Network Traffic Processing","url":"https://feed.craftedsignal.io/briefs/2026-07-pan-os-dos-cve-2026-0287/"}],"language":"en","title":"CraftedSignal Threat Feed - Prisma Access 11.2.0","version":"https://jsonfeed.org/version/1.1"}