https://feed.craftedsignal.io/products/prisma-sd-wan-ion/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 13 May 2026 16:08:49 +0000https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0243-prisma-sdwan-dos/Wed, 13 May 2026 16:08:49 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-0243-prisma-sdwan-dos/An unauthenticated, adjacent attacker can disrupt Palo Alto Networks Prisma SD-WAN ION devices by sending a specially crafted IPv6 packet, leading to a denial-of-service condition.A denial-of-service (DoS) vulnerability, identified as CVE-2026-0243, affects Palo Alto Networks Prisma SD-WAN ION devices. An unauthenticated attacker, positioned in a network adjacent to a vulnerable device, can exploit this flaw by transmitting a specially crafted IPv6 packet. Successful exploitation results in a system disruption, impacting availability. The vulnerability affects Prisma SD-WAN ION versions prior to 6.5.3-b15, 6.4.3-b8, and 6.3.6-b10. The device must have IPv6 enabled for the vulnerability to be exploitable. Palo Alto Networks internally discovered this issue.

Attack Chain

1. Attacker identifies a target Prisma SD-WAN ION device with IPv6 enabled.
2. Attacker crafts a malicious IPv6 packet specifically designed to trigger the DoS vulnerability.
3. Attacker transmits the crafted IPv6 packet to the target Prisma SD-WAN ION device from an adjacent network.
4. The device receives and processes the malicious IPv6 packet.
5. The processing of the crafted packet triggers excessive resource allocation or an unchecked loop condition.
6. The device’s system resources (CPU, memory) become exhausted due to the excessive resource allocation.
7. The device becomes unresponsive and unable to process legitimate network traffic.
8. The Prisma SD-WAN ION device experiences a denial-of-service condition, disrupting network operations.

Impact

Successful exploitation of CVE-2026-0243 results in a denial-of-service condition on affected Prisma SD-WAN ION devices. This disruption can lead to network outages, impacting business operations that rely on the SD-WAN infrastructure. Palo Alto Networks is not aware of any malicious exploitation of this issue in the wild.

Recommendation

• Upgrade Prisma SD-WAN ION to version 6.5.3-b15, 6.4.3-b8, or 6.3.6-b10 or later to remediate CVE-2026-0243.
• Disable IPv6 on Prisma SD-WAN ION devices if it is not required as a workaround.
• Deploy the Sigma rule “Detect Suspicious IPv6 Traffic to Prisma SD-WAN ION” to identify potentially malicious IPv6 packets targeting Prisma SD-WAN devices.

]]>mediumadvisorydenial-of-servicenetworkPrisma SD-WANhttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-0244-prisma-sdwan/Wed, 13 May 2026 16:06:20 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-0244-prisma-sdwan/CVE-2026-0244 is an improper certificate validation vulnerability in Palo Alto Networks Prisma SD-WAN ION that allows a man-in-the-middle (MitM) attacker to impersonate the controller.CVE-2026-0244 is an improper certificate validation vulnerability affecting Palo Alto Networks Prisma SD-WAN ION devices. This vulnerability allows a man-in-the-middle (MitM) attacker to impersonate the Prisma SD-WAN controller. Specifically, Prisma SD-WAN ION versions before 6.5.3-b15, 6.4.3-b8, and 6.3.6-b10 are affected. Palo Alto Networks internally discovered this vulnerability. Successful exploitation could allow an attacker to intercept and modify communications between the SD-WAN ION device and the controller, potentially leading to unauthorized access or control of the network.

Attack Chain

1. An attacker positions themselves in a man-in-the-middle (MitM) position between a Prisma SD-WAN ION device and the controller. This could be achieved through ARP spoofing or DNS poisoning.
2. The SD-WAN ION device attempts to establish a secure connection with the controller.
3. The attacker intercepts the TLS handshake.
4. Due to the improper certificate validation, the attacker presents a fraudulent certificate to the SD-WAN ION device.
5. The SD-WAN ION device, failing to properly validate the certificate, trusts the attacker’s certificate.
6. A secure connection is established between the SD-WAN ION device and the attacker, who is impersonating the controller.
7. The attacker intercepts and potentially modifies communications between the SD-WAN ION device and the real controller.
8. The attacker could gain unauthorized access to the network or control the SD-WAN ION device.

Impact

Successful exploitation of CVE-2026-0244 allows an attacker to perform man-in-the-middle attacks and impersonate the Prisma SD-WAN controller. This can lead to unauthorized access, data interception, or manipulation of network traffic. The vulnerability affects Prisma SD-WAN ION devices running versions prior to 6.5.3-b15, 6.4.3-b8, and 6.3.6-b10. While Palo Alto Networks is not aware of any malicious exploitation, the potential impact is significant, affecting confidentiality and integrity.

Recommendation

• Upgrade Prisma SD-WAN ION to version 6.5.3-b15 or later if running a version between 6.5.1 and 6.5.3, as indicated in the advisory.
• Upgrade Prisma SD-WAN ION to version 6.4.3-b8 or later if running a version between 6.4.1 and 6.4.3, as indicated in the advisory.
• Upgrade Prisma SD-WAN ION to version 6.3.6-b10 or later if running a version between 6.3.1 and 6.3.6, as indicated in the advisory.
• For Prisma SD-WAN ION 6.2.4 on-prem, upgrade to version 6.2.4-b12.

]]>mediumadvisoryvulnerabilitymitmcertificate validation