https://feed.craftedsignal.io/products/prisma-access-agent/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 13 May 2026 16:08:37 +0000https://feed.craftedsignal.io/briefs/2026-05-prisma-access-info-disclosure/Wed, 13 May 2026 16:08:37 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-prisma-access-info-disclosure/CVE-2026-0245 describes multiple information disclosure vulnerabilities in Palo Alto Networks Prisma Access Agent before version 26.2.1 on macOS and Windows, allowing a local user to access sensitive configuration data and credentials.Palo Alto Networks has disclosed CVE-2026-0245, a set of information disclosure vulnerabilities affecting Prisma Access Agent versions prior to 26.2.1 on macOS and Windows. A local attacker with low privileges could potentially exploit these vulnerabilities to gain access to sensitive configuration data and credentials stored by the agent. The Prisma Access Agent versions running on Linux, Android, ChromeOS, and iOS are not affected. Palo Alto Networks is not aware of any malicious exploitation of these issues.

Attack Chain

1. A local user gains access to a system with a vulnerable version of Prisma Access Agent installed (versions < 26.2.1 on macOS or Windows).
2. The attacker leverages a low-complexity attack vector to interact with the Prisma Access Agent.
3. Due to insufficient access controls or data protection mechanisms, the attacker is able to access sensitive configuration files or memory regions used by the agent.
4. The attacker successfully extracts sensitive information, which may include credentials, API keys, or other configuration parameters.
5. The attacker analyzes the disclosed data to identify valuable assets or potential attack vectors within the organization’s network.
6. The attacker may use the stolen credentials to impersonate legitimate users or services, gaining unauthorized access to protected resources.

Impact

Successful exploitation of CVE-2026-0245 allows a local attacker to access sensitive configuration data and credentials stored by the Prisma Access Agent. This information could be used to gain unauthorized access to the organization’s network or cloud resources, potentially leading to data breaches, service disruptions, or other security incidents.

Recommendation

• Upgrade Prisma Access Agent to version 26.2.1 or later on macOS and Windows systems to remediate CVE-2026-0245.
• Monitor systems for unauthorized access to Prisma Access Agent configuration files or memory regions.
• Deploy the Sigma rule Detect Suspicious Prisma Access Agent Configuration Access to detect potential exploitation attempts.

]]>mediumadvisorycve-2026-0245information-disclosureprisma-access-agenthttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-0246-prisma-access-lpe/Wed, 13 May 2026 16:03:08 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-0246-prisma-access-lpe/A local privilege escalation vulnerability exists in Palo Alto Networks Prisma Access Agent versions prior to 26.2.1 on Linux, macOS, and Windows, allowing a locally authenticated non-administrative user to gain root or NT AUTHORITY\SYSTEM privileges and execute arbitrary code.CVE-2026-0246 describes a privilege escalation vulnerability within the Palo Alto Networks Prisma Access Agent. Specifically, a locally authenticated, non-administrative user can exploit a flaw in the privilege management mechanism. Successful exploitation allows the attacker to elevate their privileges to root on macOS and Linux systems, or to NT AUTHORITY\SYSTEM on Windows systems. This vulnerability affects Prisma Access Agent versions prior to 26.2.1 on Linux, macOS and Windows. Prisma Access Agent on iOS, Android and Chrome OS are not affected. This vulnerability allows for the execution of arbitrary code and the reading of sensitive information accessible only to privileged accounts. Palo Alto Networks internally discovered this vulnerability.

Attack Chain

1. Attacker gains local access to a machine with a vulnerable Prisma Access Agent installed (version < 26.2.1).
2. Attacker identifies the vulnerable privilege management mechanism within the Prisma Access Agent.
3. Attacker crafts a malicious request or input that exploits the missing authorization (CWE-862) in the agent.
4. The malicious request bypasses intended privilege checks due to the flawed mechanism.
5. The Prisma Access Agent attempts to perform an action requiring elevated privileges based on the attacker’s crafted input.
6. Due to missing authorization, the agent incorrectly executes the action with root (Linux/macOS) or NT AUTHORITY\SYSTEM (Windows) privileges.
7. Attacker executes arbitrary code within the context of the elevated privileges.
8. Attacker gains unauthorized access to sensitive information or resources.

Impact

Successful exploitation of CVE-2026-0246 allows a local, non-administrative user to gain complete control of the affected system. This could lead to data exfiltration, installation of malware, or disruption of services. While Palo Alto Networks is not aware of any malicious exploitation, the potential impact is significant due to the complete compromise of the affected host. This vulnerability affects organizations utilizing Prisma Access Agent on Linux, macOS, and Windows.

Recommendation

• Upgrade Prisma Access Agent to version 26.2.1 or later on Linux, macOS, and Windows to remediate CVE-2026-0246 per the vendor advisory.
• Deploy the Sigma rule “Detect Prisma Access Agent Privilege Escalation Attempt via Process Creation” to detect potential exploitation attempts.
• Monitor process creation events for unusual processes spawned by the Prisma Access Agent as indicated in the detection rule.

]]>mediumadvisoryprivilege-escalationcvehttps://feed.craftedsignal.io/briefs/2026-05-prisma-access-mitm/Wed, 13 May 2026 16:02:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-prisma-access-mitm/CVE-2026-0248 is an improper certificate validation vulnerability in Prisma Access Agent for Android and Chrome OS, enabling a man-in-the-middle (MitM) attack to intercept VPN traffic and capture sensitive device information by presenting a certificate issued by a trusted Certificate Authority.CVE-2026-0248 is an improper certificate validation vulnerability affecting Palo Alto Networks Prisma Access Agent versions prior to 26.2.1 on Android and Chrome OS. An attacker can exploit this vulnerability by performing a man-in-the-middle (MitM) attack. By presenting a certificate for any domain issued by a trusted Certificate Authority, the attacker can intercept VPN traffic and capture sensitive device information. This vulnerability does not affect the Prisma Access Agent on macOS, Windows, Linux, or iOS. Palo Alto Networks discovered this issue internally.

Attack Chain

1. The attacker positions themselves in a network path between the Android/Chrome OS device and the VPN server.
2. The user initiates a VPN connection via the Prisma Access Agent.
3. The attacker intercepts the initial TLS handshake.
4. The attacker presents a fraudulent certificate for a domain issued by a trusted Certificate Authority.
5. Due to the improper certificate validation, the Prisma Access Agent on the Android/Chrome OS device accepts the fraudulent certificate.
6. A secure channel is established between the device and the attacker, appearing as a legitimate VPN connection.
7. All VPN traffic is now routed through the attacker’s machine, allowing the attacker to inspect and modify data in transit.
8. The attacker captures sensitive device information transmitted through the VPN connection.

Impact

Successful exploitation of CVE-2026-0248 allows an attacker to perform a man-in-the-middle attack on VPN connections established by the Prisma Access Agent on affected Android and Chrome OS devices. This can lead to the disclosure of sensitive information, such as credentials, personal data, or proprietary business data, transmitted through the VPN. The severity is rated as medium due to the adjacent attack vector.

Recommendation

• Upgrade Prisma Access Agent on Android and Chrome OS devices to version 26.2.1 or later to remediate CVE-2026-0248.
• Deploy the Sigma rules below to detect potential man-in-the-middle attacks targeting Prisma Access Agent connections.

]]>mediumadvisorycve-2026-0248mitmvpncertificate-validation