{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/palo-alto-networks/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PAN-OS 12.1","PAN-OS 11.2","PAN-OS 11.1"],"_cs_severities":["high"],"_cs_tags":["rce","dos","ikev2","palo-alto-networks","firewall"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eCVE-2026-0263 is a buffer overflow vulnerability affecting Palo Alto Networks PAN-OS software. This vulnerability resides in the processing of IKEv2 when Post Quantum Cryptography (PQC) is enabled. An unauthenticated, network-based attacker can exploit this flaw to achieve remote code execution (RCE) with elevated privileges on the firewall or trigger a denial-of-service (DoS) condition. The vulnerability impacts PAN-OS versions 12.1 prior to 12.1.4-h5 and 12.1.7, 11.2 prior to 11.2.4-h17, 11.2.7-h13, 11.2.10-h6 and 11.2.12, and 11.1 prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5 and 11.1.15. Exploitation requires the use of IKEv2 VPN tunnels configured with PQC. Panorama, Cloud NGFW, and Prisma Access are not affected by this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted IKEv2 packet to a vulnerable PAN-OS firewall.\u003c/li\u003e\n\u003cli\u003eThe firewall processes the malicious IKEv2 packet using the vulnerable IKEv2 processing module.\u003c/li\u003e\n\u003cli\u003eDue to the buffer overflow in the IKEv2 processing logic when PQC is enabled, the attacker\u0026rsquo;s payload overwrites adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe overwritten memory contains critical system code or data.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the execution flow by overwriting a function pointer or return address.\u003c/li\u003e\n\u003cli\u003eThe attacker injects and executes arbitrary code with elevated privileges on the firewall.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker causes a denial-of-service (DoS) condition by corrupting system data, leading to a crash.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution or causes a denial of service on the affected firewall.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0263 allows an unauthenticated attacker to execute arbitrary code with elevated privileges on the firewall. This can lead to complete system compromise, including data exfiltration, modification of firewall policies, and disruption of network services. Alternatively, the attacker can cause a denial-of-service (DoS) condition, impacting network availability and business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PAN-OS to the fixed versions: 12.1.4-h5 or later, 12.1.7 or later, 11.2.4-h17 or later, 11.2.7-h13 or later, 11.2.10-h6 or later, 11.2.12 or later, 11.1.4-h33 or later, 11.1.6-h32 or later, 11.1.7-h6 or later, 11.1.10-h25 or later, 11.1.13-h5 or later, 11.1.15 or later, as detailed in the Palo Alto Networks advisory for CVE-2026-0263.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, mitigate the vulnerability by configuring IKEv2 VPN tunnels only with NIST-approved Post Quantum Cryptography (PQC) ciphers, as mentioned in the advisory for CVE-2026-0263.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for anomalous IKEv2 packets, especially those with unusual sizes or structures, using network intrusion detection systems (NIDS).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:07:03Z","date_published":"2026-05-13T16:07:03Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0263-panos-rce/","summary":"A buffer overflow vulnerability in Palo Alto Networks PAN-OS IKEv2 processing (CVE-2026-0263) allows unauthenticated network-based attackers to execute arbitrary code with elevated privileges or cause a denial of service, affecting versions 12.1, 11.2, and 11.1 when configured with Post Quantum Cryptography (PQC).","title":"CVE-2026-0263 PAN-OS: Remote Code Execution (RCE) in IKEv2 Processing","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0263-panos-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PAN-OS"],"_cs_severities":["medium"],"_cs_tags":["cve","command injection","palo alto networks"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eMultiple command injection vulnerabilities exist in Palo Alto Networks PAN-OS software, potentially enabling an authenticated administrator to bypass system restrictions and execute arbitrary commands as a root user (CVE-2026-0261). Exploitation requires access to the PAN-OS CLI or Web UI. The vulnerabilities affect PA-Series, VM-Series firewalls, and Panorama (virtual and M-Series) running vulnerable PAN-OS versions. Cloud NGFW and Prisma Access are not affected. Patches are scheduled to be released by May 28, 2026. This vulnerability could allow an attacker with administrative access to gain complete control of the affected system, potentially leading to data breaches, system compromise, or denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative access to the PAN-OS CLI or Web UI. This could be through stolen credentials, social engineering, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an input field or command within the PAN-OS CLI or Web UI that is vulnerable to command injection.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input string containing shell metacharacters and a command to be executed.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the malicious input through the vulnerable field or command.\u003c/li\u003e\n\u003cli\u003eThe PAN-OS software improperly neutralizes the special elements within the input string.\u003c/li\u003e\n\u003cli\u003eThe PAN-OS software executes the attacker-controlled command as the root user.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the root privileges to install malware, modify system configurations, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0261 could allow an attacker with administrative privileges to execute arbitrary commands as root on the affected PAN-OS device. This could lead to complete system compromise, data breaches, or denial of service. The severity of the impact is concentrated on the affected device, with high confidentiality, integrity, and availability risks. Palo Alto Networks is not aware of any malicious exploitation of these issues.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to the fixed versions of PAN-OS as specified in the Palo Alto Networks advisory for CVE-2026-0261. Specifically, upgrade PAN-OS 12.1 to \u0026gt;= 12.1.4-h5 or \u0026gt;= 12.1.7, PAN-OS 11.2 to \u0026gt;= 11.2.4-h17, \u0026gt;= 11.2.7-h13, \u0026gt;= 11.2.10-h6 or \u0026gt;= 11.2.12, PAN-OS 11.1 to \u0026gt;= 11.1.4-h33, \u0026gt;= 11.1.6-h32, \u0026gt;= 11.1.7-h6, \u0026gt;= 11.1.10-h25, \u0026gt;= 11.1.13-h5 or \u0026gt;= 11.1.15 and PAN-OS 10.2 to \u0026gt;= 10.2.7-h34, \u0026gt;= 10.2.10-h36, \u0026gt;= 10.2.13-h21, \u0026gt;= 10.2.16-h7 or \u0026gt;= 10.2.18-h6.\u003c/li\u003e\n\u003cli\u003eRestrict CLI access to a limited group of administrators as recommended in the Palo Alto Networks advisory and documentation.\u003c/li\u003e\n\u003cli\u003eRestrict access to the management web interface to only trusted internal IP addresses to mitigate the risk as per Palo Alto Networks\u0026rsquo; best practice deployment guidelines, as described in the linked LIVEcommunity article and technical documentation.\u003c/li\u003e\n\u003cli\u003eEnable Threat IDs 510017, 510018 and 510024 to block attacks and Threat IDs 510021, 510025 and 510026 to detect attacks from Applications and Threats content version 9100-10044 and later.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:06:00Z","date_published":"2026-05-13T16:06:00Z","id":"https://feed.craftedsignal.io/briefs/2026-05-panos-cmd-injection/","summary":"CVE-2026-0261 describes multiple command injection vulnerabilities in Palo Alto Networks PAN-OS software that allow an authenticated administrator to bypass system restrictions and execute arbitrary commands as root.","title":"CVE-2026-0261 PAN-OS Authenticated Admin Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-panos-cmd-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Trust Protection Foundation"],"_cs_severities":["medium"],"_cs_tags":["cve","sql-injection","palo alto networks","trust protection foundation"],"_cs_type":"threat","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eA SQL injection vulnerability, identified as CVE-2026-0242, exists within Palo Alto Networks Trust Protection Foundation. An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands against the product database. The vulnerability affects Trust Protection Foundation versions before 25.3.3, 25.1.8, 24.3.6, and 24.1.13. Successful exploitation can lead to reading sensitive data, modifying database contents, and escalating privileges to gain full administrative control. Palo Alto Networks internally discovered this vulnerability; there are currently no reports of malicious exploitation in the wild.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Trust Protection Foundation application with valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SQL query containing SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious SQL query into an input field or parameter within the Trust Protection Foundation application.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize or validate the user-supplied SQL query.\u003c/li\u003e\n\u003cli\u003eThe application executes the attacker-controlled SQL query against the underlying database.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive data from the database, such as usernames, passwords, or configuration details.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies database contents, such as altering user privileges or inserting malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain full administrative control of the Trust Protection Foundation platform.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0242 could allow an attacker to read sensitive data, modify database contents, and escalate privileges to gain full administrative control of the Trust Protection Foundation platform. This could lead to a complete compromise of the system and potentially the wider network, depending on the Trust Protection Foundation\u0026rsquo;s role and access. There is no current known exploitation, however, the vulnerability is rated as medium severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Trust Protection Foundation to versions 25.3.3, 25.1.8, 24.3.6, 24.1.13, or later to patch CVE-2026-0242 as per the vendor\u0026rsquo;s recommendation.\u003c/li\u003e\n\u003cli\u003eImplement parameterized queries or prepared statements in the application code to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eRegularly review and update input validation and sanitization routines within the Trust Protection Foundation application.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts against Trust Protection Foundation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:05:37Z","date_published":"2026-05-13T16:05:37Z","id":"https://feed.craftedsignal.io/briefs/2026-05-trust-protection-sql-injection/","summary":"A SQL injection vulnerability in Trust Protection Foundation allows an authenticated attacker to execute arbitrary SQL commands against the product database, potentially leading to sensitive data exposure, data modification, and privilege escalation.","title":"CVE-2026-0242: Trust Protection Foundation SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-trust-protection-sql-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Trust Protection Foundation"],"_cs_severities":["medium"],"_cs_tags":["cve","authorization bypass","palo alto networks","trust protection foundation"],"_cs_type":"threat","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eCVE-2026-0241 describes a set of authorization bypass vulnerabilities affecting Palo Alto Networks Trust Protection Foundation. An attacker exploiting these vulnerabilities could potentially bypass access controls and perform unauthorized actions on restricted resources. The affected versions include 25.3.0 before 25.3.3, 25.1.0 before 25.1.8, 24.3.0 before 24.3.6, and 24.1.0 before 24.1.13. Palo Alto Networks internally discovered these vulnerabilities. There is currently no evidence of active exploitation in the wild. Successful exploitation could lead to unauthorized data access or modification within the Trust Protection Foundation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of Trust Protection Foundation (versions 25.3.0 \u0026lt; 25.3.3, 25.1.0 \u0026lt; 25.1.8, 24.3.0 \u0026lt; 24.3.6, or 24.1.0 \u0026lt; 24.1.13).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to a restricted resource, exploiting the incorrect authorization check (CWE-754).\u003c/li\u003e\n\u003cli\u003eThe Trust Protection Foundation instance fails to properly validate the attacker\u0026rsquo;s permissions due to the authorization bypass.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the restricted resource (CAPEC-122).\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions, such as viewing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify restricted configurations or data within the Trust Protection Foundation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0241 allows attackers to bypass intended access controls within Palo Alto Networks Trust Protection Foundation. This can lead to unauthorized data access, modification, or other actions depending on the specific resource targeted. Palo Alto Networks is not aware of any malicious exploitation of this issue.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Trust Protection Foundation to the fixed versions: 25.3.3, 25.1.8, 24.3.6, or 24.1.13 as detailed in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity targeting Trust Protection Foundation instances that may indicate exploitation attempts of CVE-2026-0241.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:05:03Z","date_published":"2026-05-13T16:05:03Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0241-auth-bypass/","summary":"CVE-2026-0241 describes multiple incorrect authorization vulnerabilities in Palo Alto Networks Trust Protection Foundation that allow attackers to bypass access controls and perform unauthorized actions on restricted resources.","title":"CVE-2026-0241: Trust Protection Foundation Authorization Bypass Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0241-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PAN-OS"],"_cs_severities":["medium"],"_cs_tags":["ssrf","cve-2026-0258","network","palo alto networks"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eA server-side request forgery (SSRF) vulnerability, identified as CVE-2026-0258, exists within the IKEv2 implementation of Palo Alto Networks PAN-OS software. This flaw allows an unauthenticated attacker to manipulate the firewall into sending network requests to unintended destinations. Successful exploitation can result in a denial-of-service (DoS) condition. This vulnerability affects PAN-OS versions 12.1 prior to 12.1.4-h5 and 12.1.7, 11.2 prior to 11.2.4-h17, 11.2.7-h13, 11.2.10-h6 and 11.2.12, 11.1 prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5 and 11.1.15, and 10.2 prior to 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7 and 10.2.18-h6. Panorama, Cloud NGFW, and Prisma Access are not affected. The vulnerability is triggered during IKEv2 certificate URL fetching when a Site-to-Site VPN Gateway with IKEv2 is configured.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable PAN-OS firewall with a Site-to-Site VPN Gateway configured for IKEv2.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious IKEv2 request containing a URL for certificate retrieval.\u003c/li\u003e\n\u003cli\u003eThe crafted URL specifies an internal or unintended external destination.\u003c/li\u003e\n\u003cli\u003eThe PAN-OS firewall, acting as the IKEv2 initiator, parses the malicious IKEv2 request.\u003c/li\u003e\n\u003cli\u003eThe firewall attempts to fetch the certificate from the attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eThe firewall sends an HTTP(S) request to the specified URL.\u003c/li\u003e\n\u003cli\u003eIf the URL points to an internal resource, the attacker can potentially probe internal services.\u003c/li\u003e\n\u003cli\u003eIf the URL points to an external resource, the attacker can cause the firewall to participate in a DDoS attack or expose sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0258 can allow an unauthenticated attacker to perform reconnaissance activities against internal network resources, potentially leading to the discovery of sensitive information. The attacker may also trigger a denial-of-service condition by causing the firewall to consume excessive resources or by directing traffic to unintended destinations. While the vulnerability has a medium severity rating, successful exploitation can compromise the confidentiality, integrity, and availability of the affected firewall and the network it protects. Palo Alto Networks is not aware of any malicious exploitation of this issue at this time.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PAN-OS to a fixed version as specified in the Palo Alto Networks advisory, prioritizing versions 12.1.7, 11.2.12, 11.1.15, and 10.2.18-h6 (see Product Status table in the advisory).\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not feasible, mitigate the risk by removing all IKEv2 VPN gateway configurations, as mentioned in the \u0026ldquo;Workarounds and Mitigations\u0026rdquo; section of the advisory.\u003c/li\u003e\n\u003cli\u003eCustomers with a Threat Prevention subscription should enable Threat ID 510014 to block potential attacks, as recommended in the \u0026ldquo;Workarounds and Mitigations\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual outbound connections originating from PAN-OS firewalls, especially connections to internal resources that the firewall should not normally access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:04:40Z","date_published":"2026-05-13T16:04:40Z","id":"https://feed.craftedsignal.io/briefs/2026-05-panos-ssrf/","summary":"CVE-2026-0258 is a medium severity server-side request forgery (SSRF) vulnerability in Palo Alto Networks PAN-OS that allows an unauthenticated attacker to cause the firewall to send network requests to unintended destinations, potentially leading to a denial of service (DoS).","title":"CVE-2026-0258 PAN-OS SSRF vulnerability in IKEv2 certificate URL fetching","url":"https://feed.craftedsignal.io/briefs/2026-05-panos-ssrf/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Trust Protection Foundation"],"_cs_severities":["medium"],"_cs_tags":["information-disclosure","cve-2026-0240","palo alto networks"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eCVE-2026-0240 is a sensitive information disclosure vulnerability affecting Palo Alto Networks Trust Protection Foundation. An authenticated attacker can exploit this vulnerability to gain access to sensitive information stored within the server\u0026rsquo;s vault. The vulnerability exists due to insufficient access controls on sensitive data. Successful exploitation could enable an attacker to impersonate any user within the environment and arbitrarily modify configuration settings. This issue was discovered internally by Palo Alto Networks security research teams and affects Trust Protection Foundation versions 25.3.0 before 25.3.3, 25.1.0 before 25.1.8, 24.3.0 before 24.3.6, and 24.1.0 before 24.1.13. Palo Alto Networks is not aware of any malicious exploitation of this issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the Trust Protection Foundation application with low-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted request to the server targeting the component responsible for managing the vault.\u003c/li\u003e\n\u003cli\u003eDue to missing access controls, the request bypasses intended security checks.\u003c/li\u003e\n\u003cli\u003eThe server exposes sensitive information from the vault, such as user credentials, API keys, or configuration details.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the disclosed credentials to impersonate other users with higher privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages impersonated privileges to modify configuration settings, potentially compromising the entire system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0240 allows an authenticated attacker to obtain sensitive information, impersonate users, and arbitrarily modify configuration settings within the Trust Protection Foundation environment. This could lead to a complete compromise of the system\u0026rsquo;s confidentiality and integrity. While the specific number of affected customers is not disclosed, organizations using vulnerable versions of Trust Protection Foundation are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Trust Protection Foundation to a patched version. Specifically, upgrade to version 25.3.3 or later if running 25.3.0 through 25.3.2, 25.1.8 or later if running 25.1.0 through 25.1.7, 24.3.6 or later if running 24.3.0 through 24.3.5, or 24.1.13 or later if running 24.1.0 through 24.1.12 (see Solution section).\u003c/li\u003e\n\u003cli\u003eMonitor Trust Protection Foundation logs for suspicious activity indicative of unauthorized access or data exfiltration.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect potential exploitation attempts in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:03:59Z","date_published":"2026-05-13T16:03:59Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0240/","summary":"CVE-2026-0240 is a medium severity information disclosure vulnerability in Palo Alto Networks Trust Protection Foundation, allowing an authenticated attacker to obtain sensitive information from the server's vault, potentially leading to user impersonation and arbitrary modification of configuration settings.","title":"CVE-2026-0240 Trust Protection Foundation Sensitive Information Disclosure Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0240/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GlobalProtect App"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","cve-2026-0251","palo alto networks","globalprotect"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eMultiple local privilege escalation vulnerabilities, tracked as CVE-2026-0251, affect Palo Alto Networks GlobalProtect App versions before 6.3.3-h9 on Windows and macOS, and before 6.3.3-h2 on Linux. A local, non-administrative user can exploit these vulnerabilities to escalate their privileges to NT AUTHORITY\\SYSTEM on Windows and root on macOS and Linux. Successful exploitation allows the attacker to execute arbitrary commands with administrative privileges. The GlobalProtect app on iOS, Android, Chrome OS, and GlobalProtect UWP app are not affected. Palo Alto Networks internally discovered these vulnerabilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA non-administrative user gains local access to a system with a vulnerable version of the GlobalProtect App installed.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an exploitable path within the GlobalProtect App due to an untrusted search path (CWE-426).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious executable or script and places it in a directory where the GlobalProtect App will search for it.\u003c/li\u003e\n\u003cli\u003eThe GlobalProtect App, running with elevated privileges (NT AUTHORITY\\SYSTEM on Windows, root on macOS/Linux), attempts to load or execute the malicious file.\u003c/li\u003e\n\u003cli\u003eDue to the untrusted search path, the attacker\u0026rsquo;s malicious file is executed instead of the intended legitimate application component.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes with the elevated privileges of the GlobalProtect App.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to execute arbitrary commands.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0251 allows a local, non-administrative user to gain full administrative control over the affected system. This can lead to unauthorized data access, modification, or deletion, installation of malware, and complete system compromise. Palo Alto Networks is not aware of any malicious exploitation of these issues.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade GlobalProtect App on Windows to version 6.0.13 or later for 6.0, 6.2.8-h10 (6.2.8-948) or later for 6.2, and 6.3.3-h9 (6.3.3-999) or later for 6.3 to remediate CVE-2026-0251 as per the vendor advisory.\u003c/li\u003e\n\u003cli\u003eUpgrade GlobalProtect App on macOS to version 6.0.13 or later for 6.0, 6.2.8-h10 (6.2.8-948) or later for 6.2, and 6.3.3-h9 (6.3.3-999) or later for 6.3 to remediate CVE-2026-0251 as per the vendor advisory.\u003c/li\u003e\n\u003cli\u003eUpgrade GlobalProtect App on Linux to version 6.0.11 or later for 6.0 and 6.3.3-h2 (6.3.3-42) or later for 6.2 and 6.3 to remediate CVE-2026-0251 as per the vendor advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:02:54Z","date_published":"2026-05-13T16:02:54Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0251-globalprotect-lpe/","summary":"Multiple local privilege escalation vulnerabilities exist in Palo Alto Networks GlobalProtect App, allowing a local user to escalate privileges to NT AUTHORITY\\SYSTEM on Windows and root on macOS and Linux, enabling arbitrary command execution with administrative privileges.","title":"CVE-2026-0251: Palo Alto Networks GlobalProtect App Local Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0251-globalprotect-lpe/"}],"language":"en","title":"CraftedSignal Threat Feed — Palo-Alto-Networks","version":"https://jsonfeed.org/version/1.1"}