{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-0248/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Prisma Access Agent"],"_cs_severities":["medium"],"_cs_tags":["cve-2026-0248","mitm","vpn","certificate-validation"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eCVE-2026-0248 is an improper certificate validation vulnerability affecting Palo Alto Networks Prisma Access Agent versions prior to 26.2.1 on Android and Chrome OS. An attacker can exploit this vulnerability by performing a man-in-the-middle (MitM) attack. By presenting a certificate for any domain issued by a trusted Certificate Authority, the attacker can intercept VPN traffic and capture sensitive device information. This vulnerability does not affect the Prisma Access Agent on macOS, Windows, Linux, or iOS. Palo Alto Networks discovered this issue internally.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker positions themselves in a network path between the Android/Chrome OS device and the VPN server.\u003c/li\u003e\n\u003cli\u003eThe user initiates a VPN connection via the Prisma Access Agent.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the initial TLS handshake.\u003c/li\u003e\n\u003cli\u003eThe attacker presents a fraudulent certificate for a domain issued by a trusted Certificate Authority.\u003c/li\u003e\n\u003cli\u003eDue to the improper certificate validation, the Prisma Access Agent on the Android/Chrome OS device accepts the fraudulent certificate.\u003c/li\u003e\n\u003cli\u003eA secure channel is established between the device and the attacker, appearing as a legitimate VPN connection.\u003c/li\u003e\n\u003cli\u003eAll VPN traffic is now routed through the attacker\u0026rsquo;s machine, allowing the attacker to inspect and modify data in transit.\u003c/li\u003e\n\u003cli\u003eThe attacker captures sensitive device information transmitted through the VPN connection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0248 allows an attacker to perform a man-in-the-middle attack on VPN connections established by the Prisma Access Agent on affected Android and Chrome OS devices. This can lead to the disclosure of sensitive information, such as credentials, personal data, or proprietary business data, transmitted through the VPN. The severity is rated as medium due to the adjacent attack vector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Prisma Access Agent on Android and Chrome OS devices to version 26.2.1 or later to remediate CVE-2026-0248.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to detect potential man-in-the-middle attacks targeting Prisma Access Agent connections.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:02:25Z","date_published":"2026-05-13T16:02:25Z","id":"https://feed.craftedsignal.io/briefs/2026-05-prisma-access-mitm/","summary":"CVE-2026-0248 is an improper certificate validation vulnerability in Prisma Access Agent for Android and Chrome OS, enabling a man-in-the-middle (MitM) attack to intercept VPN traffic and capture sensitive device information by presenting a certificate issued by a trusted Certificate Authority.","title":"CVE-2026-0248 Prisma Access Agent Improper Certificate Validation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-prisma-access-mitm/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-0248","version":"https://jsonfeed.org/version/1.1"}