{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/prisma-access-agent/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Prisma Access Agent"],"_cs_severities":["medium"],"_cs_tags":["cve-2026-0245","information-disclosure","prisma-access-agent"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003ePalo Alto Networks has disclosed CVE-2026-0245, a set of information disclosure vulnerabilities affecting Prisma Access Agent versions prior to 26.2.1 on macOS and Windows. A local attacker with low privileges could potentially exploit these vulnerabilities to gain access to sensitive configuration data and credentials stored by the agent. The Prisma Access Agent versions running on Linux, Android, ChromeOS, and iOS are not affected. Palo Alto Networks is not aware of any malicious exploitation of these issues.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA local user gains access to a system with a vulnerable version of Prisma Access Agent installed (versions \u0026lt; 26.2.1 on macOS or Windows).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a low-complexity attack vector to interact with the Prisma Access Agent.\u003c/li\u003e\n\u003cli\u003eDue to insufficient access controls or data protection mechanisms, the attacker is able to access sensitive configuration files or memory regions used by the agent.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully extracts sensitive information, which may include credentials, API keys, or other configuration parameters.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the disclosed data to identify valuable assets or potential attack vectors within the organization\u0026rsquo;s network.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the stolen credentials to impersonate legitimate users or services, gaining unauthorized access to protected resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0245 allows a local attacker to access sensitive configuration data and credentials stored by the Prisma Access Agent. This information could be used to gain unauthorized access to the organization\u0026rsquo;s network or cloud resources, potentially leading to data breaches, service disruptions, or other security incidents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Prisma Access Agent to version 26.2.1 or later on macOS and Windows systems to remediate CVE-2026-0245.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unauthorized access to Prisma Access Agent configuration files or memory regions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Prisma Access Agent Configuration Access\u003c/code\u003e to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:08:37Z","date_published":"2026-05-13T16:08:37Z","id":"https://feed.craftedsignal.io/briefs/2026-05-prisma-access-info-disclosure/","summary":"CVE-2026-0245 describes multiple information disclosure vulnerabilities in Palo Alto Networks Prisma Access Agent before version 26.2.1 on macOS and Windows, allowing a local user to access sensitive configuration data and credentials.","title":"CVE-2026-0245 Prisma Access Agent Information Disclosure Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-prisma-access-info-disclosure/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Prisma Access Agent"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","cve"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eCVE-2026-0246 describes a privilege escalation vulnerability within the Palo Alto Networks Prisma Access Agent. Specifically, a locally authenticated, non-administrative user can exploit a flaw in the privilege management mechanism. Successful exploitation allows the attacker to elevate their privileges to root on macOS and Linux systems, or to NT AUTHORITY\\SYSTEM on Windows systems. This vulnerability affects Prisma Access Agent versions prior to 26.2.1 on Linux, macOS and Windows. Prisma Access Agent on iOS, Android and Chrome OS are not affected. This vulnerability allows for the execution of arbitrary code and the reading of sensitive information accessible only to privileged accounts. Palo Alto Networks internally discovered this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains local access to a machine with a vulnerable Prisma Access Agent installed (version \u0026lt; 26.2.1).\u003c/li\u003e\n\u003cli\u003eAttacker identifies the vulnerable privilege management mechanism within the Prisma Access Agent.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious request or input that exploits the missing authorization (CWE-862) in the agent.\u003c/li\u003e\n\u003cli\u003eThe malicious request bypasses intended privilege checks due to the flawed mechanism.\u003c/li\u003e\n\u003cli\u003eThe Prisma Access Agent attempts to perform an action requiring elevated privileges based on the attacker\u0026rsquo;s crafted input.\u003c/li\u003e\n\u003cli\u003eDue to missing authorization, the agent incorrectly executes the action with root (Linux/macOS) or NT AUTHORITY\\SYSTEM (Windows) privileges.\u003c/li\u003e\n\u003cli\u003eAttacker executes arbitrary code within the context of the elevated privileges.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to sensitive information or resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0246 allows a local, non-administrative user to gain complete control of the affected system. This could lead to data exfiltration, installation of malware, or disruption of services. While Palo Alto Networks is not aware of any malicious exploitation, the potential impact is significant due to the complete compromise of the affected host. This vulnerability affects organizations utilizing Prisma Access Agent on Linux, macOS, and Windows.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Prisma Access Agent to version 26.2.1 or later on Linux, macOS, and Windows to remediate CVE-2026-0246 per the vendor advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Prisma Access Agent Privilege Escalation Attempt via Process Creation\u0026rdquo; to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes spawned by the Prisma Access Agent as indicated in the detection rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:03:08Z","date_published":"2026-05-13T16:03:08Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0246-prisma-access-lpe/","summary":"A local privilege escalation vulnerability exists in Palo Alto Networks Prisma Access Agent versions prior to 26.2.1 on Linux, macOS, and Windows, allowing a locally authenticated non-administrative user to gain root or NT AUTHORITY\\SYSTEM privileges and execute arbitrary code.","title":"CVE-2026-0246 Prisma Access Agent Local Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0246-prisma-access-lpe/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Prisma Access Agent"],"_cs_severities":["medium"],"_cs_tags":["cve-2026-0248","mitm","vpn","certificate-validation"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eCVE-2026-0248 is an improper certificate validation vulnerability affecting Palo Alto Networks Prisma Access Agent versions prior to 26.2.1 on Android and Chrome OS. An attacker can exploit this vulnerability by performing a man-in-the-middle (MitM) attack. By presenting a certificate for any domain issued by a trusted Certificate Authority, the attacker can intercept VPN traffic and capture sensitive device information. This vulnerability does not affect the Prisma Access Agent on macOS, Windows, Linux, or iOS. Palo Alto Networks discovered this issue internally.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker positions themselves in a network path between the Android/Chrome OS device and the VPN server.\u003c/li\u003e\n\u003cli\u003eThe user initiates a VPN connection via the Prisma Access Agent.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the initial TLS handshake.\u003c/li\u003e\n\u003cli\u003eThe attacker presents a fraudulent certificate for a domain issued by a trusted Certificate Authority.\u003c/li\u003e\n\u003cli\u003eDue to the improper certificate validation, the Prisma Access Agent on the Android/Chrome OS device accepts the fraudulent certificate.\u003c/li\u003e\n\u003cli\u003eA secure channel is established between the device and the attacker, appearing as a legitimate VPN connection.\u003c/li\u003e\n\u003cli\u003eAll VPN traffic is now routed through the attacker\u0026rsquo;s machine, allowing the attacker to inspect and modify data in transit.\u003c/li\u003e\n\u003cli\u003eThe attacker captures sensitive device information transmitted through the VPN connection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0248 allows an attacker to perform a man-in-the-middle attack on VPN connections established by the Prisma Access Agent on affected Android and Chrome OS devices. This can lead to the disclosure of sensitive information, such as credentials, personal data, or proprietary business data, transmitted through the VPN. The severity is rated as medium due to the adjacent attack vector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Prisma Access Agent on Android and Chrome OS devices to version 26.2.1 or later to remediate CVE-2026-0248.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to detect potential man-in-the-middle attacks targeting Prisma Access Agent connections.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:02:25Z","date_published":"2026-05-13T16:02:25Z","id":"https://feed.craftedsignal.io/briefs/2026-05-prisma-access-mitm/","summary":"CVE-2026-0248 is an improper certificate validation vulnerability in Prisma Access Agent for Android and Chrome OS, enabling a man-in-the-middle (MitM) attack to intercept VPN traffic and capture sensitive device information by presenting a certificate issued by a trusted Certificate Authority.","title":"CVE-2026-0248 Prisma Access Agent Improper Certificate Validation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-prisma-access-mitm/"}],"language":"en","title":"CraftedSignal Threat Feed — Prisma Access Agent","version":"https://jsonfeed.org/version/1.1"}