{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/prisma-sd-wan-ion/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Prisma SD-WAN ION"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","network","Prisma SD-WAN"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eA denial-of-service (DoS) vulnerability, identified as CVE-2026-0243, affects Palo Alto Networks Prisma SD-WAN ION devices. An unauthenticated attacker, positioned in a network adjacent to a vulnerable device, can exploit this flaw by transmitting a specially crafted IPv6 packet. Successful exploitation results in a system disruption, impacting availability. The vulnerability affects Prisma SD-WAN ION versions prior to 6.5.3-b15, 6.4.3-b8, and 6.3.6-b10. The device must have IPv6 enabled for the vulnerability to be exploitable. Palo Alto Networks internally discovered this issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target Prisma SD-WAN ION device with IPv6 enabled.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious IPv6 packet specifically designed to trigger the DoS vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker transmits the crafted IPv6 packet to the target Prisma SD-WAN ION device from an adjacent network.\u003c/li\u003e\n\u003cli\u003eThe device receives and processes the malicious IPv6 packet.\u003c/li\u003e\n\u003cli\u003eThe processing of the crafted packet triggers excessive resource allocation or an unchecked loop condition.\u003c/li\u003e\n\u003cli\u003eThe device\u0026rsquo;s system resources (CPU, memory) become exhausted due to the excessive resource allocation.\u003c/li\u003e\n\u003cli\u003eThe device becomes unresponsive and unable to process legitimate network traffic.\u003c/li\u003e\n\u003cli\u003eThe Prisma SD-WAN ION device experiences a denial-of-service condition, disrupting network operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0243 results in a denial-of-service condition on affected Prisma SD-WAN ION devices. This disruption can lead to network outages, impacting business operations that rely on the SD-WAN infrastructure. Palo Alto Networks is not aware of any malicious exploitation of this issue in the wild.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Prisma SD-WAN ION to version 6.5.3-b15, 6.4.3-b8, or 6.3.6-b10 or later to remediate CVE-2026-0243.\u003c/li\u003e\n\u003cli\u003eDisable IPv6 on Prisma SD-WAN ION devices if it is not required as a workaround.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious IPv6 Traffic to Prisma SD-WAN ION\u0026rdquo; to identify potentially malicious IPv6 packets targeting Prisma SD-WAN devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:08:49Z","date_published":"2026-05-13T16:08:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0243-prisma-sdwan-dos/","summary":"An unauthenticated, adjacent attacker can disrupt Palo Alto Networks Prisma SD-WAN ION devices by sending a specially crafted IPv6 packet, leading to a denial-of-service condition.","title":"CVE-2026-0243: Prisma SD-WAN Denial-of-Service via Crafted IPv6 Packet","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0243-prisma-sdwan-dos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Prisma SD-WAN ION"],"_cs_severities":["medium"],"_cs_tags":["vulnerability","mitm","certificate validation"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eCVE-2026-0244 is an improper certificate validation vulnerability affecting Palo Alto Networks Prisma SD-WAN ION devices. This vulnerability allows a man-in-the-middle (MitM) attacker to impersonate the Prisma SD-WAN controller. Specifically, Prisma SD-WAN ION versions before 6.5.3-b15, 6.4.3-b8, and 6.3.6-b10 are affected. Palo Alto Networks internally discovered this vulnerability. Successful exploitation could allow an attacker to intercept and modify communications between the SD-WAN ION device and the controller, potentially leading to unauthorized access or control of the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker positions themselves in a man-in-the-middle (MitM) position between a Prisma SD-WAN ION device and the controller. This could be achieved through ARP spoofing or DNS poisoning.\u003c/li\u003e\n\u003cli\u003eThe SD-WAN ION device attempts to establish a secure connection with the controller.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the TLS handshake.\u003c/li\u003e\n\u003cli\u003eDue to the improper certificate validation, the attacker presents a fraudulent certificate to the SD-WAN ION device.\u003c/li\u003e\n\u003cli\u003eThe SD-WAN ION device, failing to properly validate the certificate, trusts the attacker\u0026rsquo;s certificate.\u003c/li\u003e\n\u003cli\u003eA secure connection is established between the SD-WAN ION device and the attacker, who is impersonating the controller.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts and potentially modifies communications between the SD-WAN ION device and the real controller.\u003c/li\u003e\n\u003cli\u003eThe attacker could gain unauthorized access to the network or control the SD-WAN ION device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0244 allows an attacker to perform man-in-the-middle attacks and impersonate the Prisma SD-WAN controller. This can lead to unauthorized access, data interception, or manipulation of network traffic. The vulnerability affects Prisma SD-WAN ION devices running versions prior to 6.5.3-b15, 6.4.3-b8, and 6.3.6-b10. While Palo Alto Networks is not aware of any malicious exploitation, the potential impact is significant, affecting confidentiality and integrity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Prisma SD-WAN ION to version 6.5.3-b15 or later if running a version between 6.5.1 and 6.5.3, as indicated in the advisory.\u003c/li\u003e\n\u003cli\u003eUpgrade Prisma SD-WAN ION to version 6.4.3-b8 or later if running a version between 6.4.1 and 6.4.3, as indicated in the advisory.\u003c/li\u003e\n\u003cli\u003eUpgrade Prisma SD-WAN ION to version 6.3.6-b10 or later if running a version between 6.3.1 and 6.3.6, as indicated in the advisory.\u003c/li\u003e\n\u003cli\u003eFor Prisma SD-WAN ION 6.2.4 on-prem, upgrade to version 6.2.4-b12.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:06:20Z","date_published":"2026-05-13T16:06:20Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0244-prisma-sdwan/","summary":"CVE-2026-0244 is an improper certificate validation vulnerability in Palo Alto Networks Prisma SD-WAN ION that allows a man-in-the-middle (MitM) attacker to impersonate the controller.","title":"CVE-2026-0244 Prisma SD-WAN ION Improper Certificate Validation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0244-prisma-sdwan/"}],"language":"en","title":"CraftedSignal Threat Feed — Prisma SD-WAN ION","version":"https://jsonfeed.org/version/1.1"}