Prisma SD-WAN — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/prisma-sd-wan/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 13 May 2026 16:08:49 +0000CVE-2026-0243: Prisma SD-WAN Denial-of-Service via Crafted IPv6 Packethttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-0243-prisma-sdwan-dos/Wed, 13 May 2026 16:08:49 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-0243-prisma-sdwan-dos/An unauthenticated, adjacent attacker can disrupt Palo Alto Networks Prisma SD-WAN ION devices by sending a specially crafted IPv6 packet, leading to a denial-of-service condition.A denial-of-service (DoS) vulnerability, identified as CVE-2026-0243, affects Palo Alto Networks Prisma SD-WAN ION devices. An unauthenticated attacker, positioned in a network adjacent to a vulnerable device, can exploit this flaw by transmitting a specially crafted IPv6 packet. Successful exploitation results in a system disruption, impacting availability. The vulnerability affects Prisma SD-WAN ION versions prior to 6.5.3-b15, 6.4.3-b8, and 6.3.6-b10. The device must have IPv6 enabled for the vulnerability to be exploitable. Palo Alto Networks internally discovered this issue.

Attack Chain

  1. Attacker identifies a target Prisma SD-WAN ION device with IPv6 enabled.
  2. Attacker crafts a malicious IPv6 packet specifically designed to trigger the DoS vulnerability.
  3. Attacker transmits the crafted IPv6 packet to the target Prisma SD-WAN ION device from an adjacent network.
  4. The device receives and processes the malicious IPv6 packet.
  5. The processing of the crafted packet triggers excessive resource allocation or an unchecked loop condition.
  6. The device’s system resources (CPU, memory) become exhausted due to the excessive resource allocation.
  7. The device becomes unresponsive and unable to process legitimate network traffic.
  8. The Prisma SD-WAN ION device experiences a denial-of-service condition, disrupting network operations.

Impact

Successful exploitation of CVE-2026-0243 results in a denial-of-service condition on affected Prisma SD-WAN ION devices. This disruption can lead to network outages, impacting business operations that rely on the SD-WAN infrastructure. Palo Alto Networks is not aware of any malicious exploitation of this issue in the wild.

Recommendation

  • Upgrade Prisma SD-WAN ION to version 6.5.3-b15, 6.4.3-b8, or 6.3.6-b10 or later to remediate CVE-2026-0243.
  • Disable IPv6 on Prisma SD-WAN ION devices if it is not required as a workaround.
  • Deploy the Sigma rule “Detect Suspicious IPv6 Traffic to Prisma SD-WAN ION” to identify potentially malicious IPv6 packets targeting Prisma SD-WAN devices.
]]>mediumadvisorydenial-of-servicenetworkPrisma SD-WAN