{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-0258/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PAN-OS"],"_cs_severities":["medium"],"_cs_tags":["ssrf","cve-2026-0258","network","palo alto networks"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eA server-side request forgery (SSRF) vulnerability, identified as CVE-2026-0258, exists within the IKEv2 implementation of Palo Alto Networks PAN-OS software. This flaw allows an unauthenticated attacker to manipulate the firewall into sending network requests to unintended destinations. Successful exploitation can result in a denial-of-service (DoS) condition. This vulnerability affects PAN-OS versions 12.1 prior to 12.1.4-h5 and 12.1.7, 11.2 prior to 11.2.4-h17, 11.2.7-h13, 11.2.10-h6 and 11.2.12, 11.1 prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5 and 11.1.15, and 10.2 prior to 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7 and 10.2.18-h6. Panorama, Cloud NGFW, and Prisma Access are not affected. The vulnerability is triggered during IKEv2 certificate URL fetching when a Site-to-Site VPN Gateway with IKEv2 is configured.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable PAN-OS firewall with a Site-to-Site VPN Gateway configured for IKEv2.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious IKEv2 request containing a URL for certificate retrieval.\u003c/li\u003e\n\u003cli\u003eThe crafted URL specifies an internal or unintended external destination.\u003c/li\u003e\n\u003cli\u003eThe PAN-OS firewall, acting as the IKEv2 initiator, parses the malicious IKEv2 request.\u003c/li\u003e\n\u003cli\u003eThe firewall attempts to fetch the certificate from the attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eThe firewall sends an HTTP(S) request to the specified URL.\u003c/li\u003e\n\u003cli\u003eIf the URL points to an internal resource, the attacker can potentially probe internal services.\u003c/li\u003e\n\u003cli\u003eIf the URL points to an external resource, the attacker can cause the firewall to participate in a DDoS attack or expose sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0258 can allow an unauthenticated attacker to perform reconnaissance activities against internal network resources, potentially leading to the discovery of sensitive information. The attacker may also trigger a denial-of-service condition by causing the firewall to consume excessive resources or by directing traffic to unintended destinations. While the vulnerability has a medium severity rating, successful exploitation can compromise the confidentiality, integrity, and availability of the affected firewall and the network it protects. Palo Alto Networks is not aware of any malicious exploitation of this issue at this time.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PAN-OS to a fixed version as specified in the Palo Alto Networks advisory, prioritizing versions 12.1.7, 11.2.12, 11.1.15, and 10.2.18-h6 (see Product Status table in the advisory).\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not feasible, mitigate the risk by removing all IKEv2 VPN gateway configurations, as mentioned in the \u0026ldquo;Workarounds and Mitigations\u0026rdquo; section of the advisory.\u003c/li\u003e\n\u003cli\u003eCustomers with a Threat Prevention subscription should enable Threat ID 510014 to block potential attacks, as recommended in the \u0026ldquo;Workarounds and Mitigations\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual outbound connections originating from PAN-OS firewalls, especially connections to internal resources that the firewall should not normally access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:04:40Z","date_published":"2026-05-13T16:04:40Z","id":"https://feed.craftedsignal.io/briefs/2026-05-panos-ssrf/","summary":"CVE-2026-0258 is a medium severity server-side request forgery (SSRF) vulnerability in Palo Alto Networks PAN-OS that allows an unauthenticated attacker to cause the firewall to send network requests to unintended destinations, potentially leading to a denial of service (DoS).","title":"CVE-2026-0258 PAN-OS SSRF vulnerability in IKEv2 certificate URL fetching","url":"https://feed.craftedsignal.io/briefs/2026-05-panos-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-0258","version":"https://jsonfeed.org/version/1.1"}