Attack Chain

1. A local user gains access to a system with a vulnerable version of Prisma Access Agent installed (versions < 26.2.1 on macOS or Windows).
2. The attacker leverages a low-complexity attack vector to interact with the Prisma Access Agent.
3. Due to insufficient access controls or data protection mechanisms, the attacker is able to access sensitive configuration files or memory regions used by the agent.
4. The attacker successfully extracts sensitive information, which may include credentials, API keys, or other configuration parameters.
5. The attacker analyzes the disclosed data to identify valuable assets or potential attack vectors within the organization’s network.
6. The attacker may use the stolen credentials to impersonate legitimate users or services, gaining unauthorized access to protected resources.

Impact

Successful exploitation of CVE-2026-0245 allows a local attacker to access sensitive configuration data and credentials stored by the Prisma Access Agent. This information could be used to gain unauthorized access to the organization’s network or cloud resources, potentially leading to data breaches, service disruptions, or other security incidents.

Recommendation

• Upgrade Prisma Access Agent to version 26.2.1 or later on macOS and Windows systems to remediate CVE-2026-0245.
• Monitor systems for unauthorized access to Prisma Access Agent configuration files or memory regions.
• Deploy the Sigma rule Detect Suspicious Prisma Access Agent Configuration Access to detect potential exploitation attempts.