<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Prisma Access 11.2.0 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/prisma-access-11.2.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 16:12:23 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/prisma-access-11.2.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-0288 PAN-OS: Buffer Overflow Vulnerabilities in User-ID Terminal Server Agent</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-0288-pan-os-buffer-overflow/</link><pubDate>Wed, 08 Jul 2026 16:12:23 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-0288-pan-os-buffer-overflow/</guid><description>Palo Alto Networks has disclosed multiple buffer overflow vulnerabilities (CVE-2026-0288) in their PAN-OS User-ID Terminal Server Agent (TSA) component, which an unauthenticated attacker with network access can exploit by sending specially crafted network traffic to cause a denial of service (DoS) or potentially achieve arbitrary code execution, affecting various versions of PAN-OS, Cloud NGFW, and Prisma Access if the TSA is exposed to untrusted networks.</description><content:encoded><![CDATA[<p>Palo Alto Networks released an advisory regarding CVE-2026-0288, a set of multiple buffer overflow vulnerabilities present in the User-ID Terminal Server Agent (TSA) component of its PAN-OS software, Cloud NGFW, and Prisma Access products. These vulnerabilities allow an unauthenticated attacker, with direct network access to the affected device, to trigger either a denial of service (DoS) condition or, in more severe cases, execute arbitrary code. The issue primarily impacts devices where the TSA is configured and accessible from untrusted networks, emphasizing the importance of adhering to network segmentation best practices. While Palo Alto Networks is not aware of any in-the-wild exploitation, the potential for service disruption or system compromise makes this a significant concern for organizations utilizing vulnerable PAN-OS versions across their security infrastructure. The advisory was published on July 8, 2026, urging immediate attention to patching and mitigation steps.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker gains network access to a vulnerable Palo Alto Networks PAN-OS device, Cloud NGFW, or Prisma Access instance.</li>
<li>The target device or instance has the User-ID Terminal Server Agent (TSA) component configured and exposed, potentially to untrusted networks.</li>
<li>The attacker sends specially crafted network traffic designed to exploit memory handling flaws to the exposed TSA component.</li>
<li>This malicious traffic specifically targets multiple buffer overflow vulnerabilities (CVE-2026-0288) within the TSA's processing functions.</li>
<li>Successful exploitation of these vulnerabilities leads to memory corruption within the TSA process.</li>
<li>The memory corruption causes the TSA component to crash, resulting in a denial of service (DoS) condition on the affected device or instance.</li>
<li>In scenarios where the buffer overflows are precisely controlled, the attacker could potentially achieve arbitrary code execution, granting them control over the compromised system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-0288 can lead to a critical denial of service (DoS) condition, rendering the affected Palo Alto Networks PAN-OS device, Cloud NGFW, or Prisma Access instance inoperable. This can disrupt network traffic processing, user identification, and overall security enforcement, leading to significant operational downtime and potential security gaps. In the worst-case scenario, the ability to execute arbitrary code could allow an attacker to gain complete control over the device, facilitating further network penetration, data exfiltration, or installation of persistent backdoors. While no specific victim numbers or targeted sectors are publicly known as of the disclosure, any organization using vulnerable Palo Alto Networks products with an exposed User-ID Terminal Server Agent is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch CVE-2026-0288 by upgrading affected Palo Alto Networks PAN-OS installations to the recommended versions:</li>
<li>PAN-OS 12.1: Upgrade to 12.1.4-h8, 12.1.7-h2, 12.1.8 or later.</li>
<li>PAN-OS 11.2: Upgrade to 11.2.4-h20, 11.2.7-h18, 11.2.10-h12, 11.2.13 or later.</li>
<li>PAN-OS 11.1: Upgrade to 11.1.4-h35, 11.1.6-h35, 11.1.7-h8, 11.1.10-h30, 11.1.13-h9, 11.1.16 or later.</li>
<li>PAN-OS 10.2: Upgrade to 10.2.7-h36, 10.2.10-h39, 10.2.13-h23, 10.2.16-h9, 10.2.18-h8 or later.</li>
<li>Prisma Access: Await scheduled maintenance or contact Palo Alto Networks Support for an on-demand upgrade if running affected versions like 11.2.0 &lt; 11.2.7-h18 or 10.2.0 &lt; 10.2.10-h39.</li>
<li>Implement the recommended mitigation for CVE-2026-0288 by restricting User-ID Terminal Server Agent (TSA) connectivity to only trusted internal IP addresses, preventing its exposure to the internet or untrusted networks.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>network</category><category>vulnerability</category><category>cve</category><category>palo-alto-networks</category><category>denial-of-service</category><category>remote-code-execution</category></item><item><title>CVE-2026-0279 PAN-OS: Multiple Cross-Site Scripting (XSS) Vulnerabilities</title><link>https://feed.craftedsignal.io/briefs/2026-07-pan-os-xss/</link><pubDate>Wed, 08 Jul 2026 16:10:47 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-pan-os-xss/</guid><description>Palo Alto Networks has disclosed multiple low-severity cross-site scripting (XSS) vulnerabilities, CVE-2026-0279, in PAN-OS software affecting the User-ID Authentication Portal, GlobalProtect gateway/portal features, and Clientless VPN, which could allow a malicious unauthenticated user to inject and execute JavaScript in a victim's browser.</description><content:encoded><![CDATA[<p>Palo Alto Networks has released an advisory concerning CVE-2026-0279, which identifies multiple low-severity cross-site scripting (XSS) vulnerabilities across various components of its PAN-OS software. These vulnerabilities specifically affect the User-ID™ Authentication Portal (also known as Captive Portal), GlobalProtect™ gateway/portal features, and Clientless VPN. An unauthenticated attacker could exploit these flaws to inject and store malicious JavaScript payloads, which would then execute in the context of a legitimate user's browser when they access the vulnerable component. The risk associated with this issue is significantly reduced by adhering to Palo Alto Networks' recommended best practices, which include restricting access to management interfaces and the User-ID Authentication Portal to only trusted internal IP addresses. Cloud NGFW products are not affected. Affected versions include PAN-OS 12.1 prior to 12.1.8, 11.2 prior to 11.2.13, 11.1 prior to 11.1.16, and all 10.2 versions, along with specific Prisma Access versions. No active exploitation has been reported.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Vulnerability Identification</strong>: An unauthenticated attacker identifies a vulnerable input field or parameter within the User-ID Authentication Portal, GlobalProtect gateway/portal, or Clientless VPN of an exposed PAN-OS device.</li>
<li><strong>Payload Crafting</strong>: The attacker constructs a malicious JavaScript payload designed to achieve an objective such as session hijacking, credential theft, or redirection to a malicious website.</li>
<li><strong>Payload Injection</strong>: The crafted JavaScript payload is injected by the attacker into the identified vulnerable component through an unauthenticated network request.</li>
<li><strong>Persistent Storage</strong>: The PAN-OS application processes and stores the malicious payload, embedding it within the user-facing content of the vulnerable component.</li>
<li><strong>Victim Interaction</strong>: A legitimate user accesses the compromised PAN-OS component (e.g., logs into the User-ID Authentication Portal or uses a GlobalProtect feature).</li>
<li><strong>Client-Side Execution</strong>: The injected malicious JavaScript is rendered and executed by the victim's web browser as part of the legitimate PAN-OS application interface.</li>
<li><strong>Malicious Action</strong>: The executed JavaScript performs its intended action, potentially leading to unauthorized access to the victim's session, exposure of sensitive information, or further client-side attacks.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerabilities, categorized as low severity, primarily impact the confidentiality and integrity of users interacting with the affected PAN-OS portals and features. While no active exploitation has been reported, successful exploitation could lead to client-side attacks where an attacker executes malicious JavaScript within a victim's browser. This could result in session hijacking, allowing unauthorized access to the victim's user session, or credential theft if the script is designed to capture login information. The overall product confidentiality and integrity are rated as LOW, and availability is rated as NONE, indicating that the vulnerability does not directly compromise the firewall's core functions or lead to denial of service. The impact is minimized when the management interfaces and portal access are restricted to trusted internal networks, as per best practices.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-0279 immediately by upgrading all affected PAN-OS devices and Prisma Access deployments to the specified fixed versions: PAN-OS 12.1.8 or later, PAN-OS 11.2.13 or later, PAN-OS 11.1.16 or later, or a supported fixed version for PAN-OS 10.2. Prisma Access 11.2 should be upgraded to 11.2.7-h18 or later, and Prisma Access 10.2 to 10.2.10-h39 or later.</li>
<li>Implement network access restrictions to the management interface and User-ID Authentication Portal according to Palo Alto Networks' best practice deployment guidelines, ensuring access is limited to only trusted internal IP addresses.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">threat</category><category>xss</category><category>vulnerability</category><category>firewall</category><category>network-device</category><category>web-application</category></item><item><title>CVE-2026-0287 PAN-OS: Denial of Service Vulnerabilities in Network Traffic Processing</title><link>https://feed.craftedsignal.io/briefs/2026-07-pan-os-dos-cve-2026-0287/</link><pubDate>Wed, 08 Jul 2026 16:07:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-pan-os-dos-cve-2026-0287/</guid><description>Multiple denial of service vulnerabilities, tracked as CVE-2026-0287, in Palo Alto Networks PAN-OS software allow an unauthenticated attacker to cause a DoS condition by sending specially crafted network traffic, potentially forcing the firewall into maintenance mode.</description><content:encoded><![CDATA[<p>Palo Alto Networks has disclosed multiple denial of service vulnerabilities, tracked as CVE-2026-0287, affecting various versions of its PAN-OS® software, Cloud NGFW, and Prisma Access products. An unauthenticated attacker with network access can trigger a denial of service (DoS) condition by sending specially crafted network traffic to or through a vulnerable dataplane interface. Repeated exploitation of this vulnerability can force the firewall into maintenance mode, disrupting network traffic and service availability. While Cloud NGFW and Prisma Access have built-in resilience, they are still susceptible. This vulnerability, discovered internally, carries a CVSSv4 score of 8.7 (High) and requires immediate patching for affected on-premises PAN-OS installations. Palo Alto Networks is not aware of any in-the-wild exploitation at this time.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker gains network access to a vulnerable Palo Alto Networks PAN-OS dataplane interface.</li>
<li>The attacker crafts and sends specially crafted network traffic designed to exploit CVE-2026-0287.</li>
<li>The vulnerable PAN-OS device processes this malicious traffic through its network traffic processing component.</li>
<li>The specially crafted traffic triggers a denial of service condition within the firewall's operating system.</li>
<li>The DoS condition disrupts the firewall's ability to process legitimate network traffic.</li>
<li>Repeated attempts by the attacker to exploit the vulnerability cause the firewall to enter maintenance mode, completely interrupting network availability.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-0287 leads to a denial of service condition, severely degrading or completely interrupting network traffic processing through the affected Palo Alto Networks firewall. If exploited repeatedly, the firewall enters maintenance mode, rendering it inoperable and causing a full network outage. While Cloud NGFW and Prisma Access products have some built-in resilience, they are not immune, potentially leading to service disruptions for cloud-based network security. This vulnerability impacts organizations relying on these firewalls for network segmentation, security policies, and internet connectivity, resulting in significant operational downtime and potential loss of business continuity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Prioritize patching all affected Palo Alto Networks PAN-OS installations to the versions specified in the security advisory to remediate CVE-2026-0287.</li>
<li>For Cloud NGFW and Prisma Access customers, contact Palo Alto Networks Support to schedule an on-demand software upgrade if a more immediate patch is required prior to the next scheduled maintenance cycle as per the CVE-2026-0287 advisory.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">threat</category><category>denial-of-service</category><category>vulnerability</category><category>network</category><category>firewall</category><category>palo-alto-networks</category></item></channel></rss>