VYPR
patchPublished Jul 9, 2026· 1 source

Critical PAN-OS Vulnerability Allows Arbitrary Code Execution via Crafted Network Traffic

Palo Alto Networks has disclosed CVE-2026-0288, a critical vulnerability in PAN-OS that allows unauthenticated attackers to execute arbitrary code or cause a denial-of-service by sending specially crafted network traffic.

Palo Alto Networks has issued a critical alert regarding CVE-2026-0288, a severe vulnerability affecting its PAN-OS network operating system. This flaw, carrying a CVSS-B score of 9.2, enables unauthenticated attackers to execute arbitrary code or induce a denial-of-service (DoS) by transmitting malicious network packets. The vulnerability specifically targets the User-ID Terminal Server Agent (TSA) component, a part of PAN-OS responsible for managing user identification services.

Exploitation of CVE-2026-0288 is facilitated by multiple buffer overflow vulnerabilities within the TSA. An attacker who can reach the TSA's IP address and port, without needing any credentials or user interaction, can corrupt memory. This memory corruption can lead to the execution of arbitrary code on the affected device or cause the TSA service to crash, resulting in a denial-of-service condition. The vulnerability is present in several major PAN-OS versions, including branches of PAN-OS 12.1, 11.2, 11.1, and 10.2, as well as specific versions of Prisma Access.

Palo Alto Networks has detailed the affected versions, noting that the severity of the risk depends on the exposure of the TSA configuration. Devices with TSA exposed to the internet or untrusted networks are at the highest risk, rated with a CVSS-B score of 9.2. However, even for devices where TSA access is restricted to trusted internal IP addresses, the risk remains significant, with a CVSS-B score of 7.7.

The vendor has emphasized that while they are not aware of any active exploitation of this vulnerability in the wild at this time, immediate patching is strongly recommended for all affected systems. The specific fixed versions vary across the different PAN-OS branches, and customers are advised to consult the official advisory for precise patch details. For Prisma Access customers, upgrades will be rolled out during scheduled maintenance, though on-demand upgrades are an option.

As an interim mitigation measure, organizations can significantly reduce their attack surface by restricting User-ID Terminal Server Agent connectivity to only trusted internal IP addresses. This aligns with Palo Alto Networks' best-practice guidelines and provides a layer of defense until patches can be applied. This step is crucial for minimizing the potential impact of the vulnerability.

The discovery of CVE-2026-0288 was made by security researcher Liang Zhu, who responsibly disclosed the findings to Palo Alto Networks. The combination of a network-based attack vector, low exploitation complexity, and the potential for remote code execution makes this a critical vulnerability that demands prompt attention from administrators managing PAN-OS devices with TSA configurations.

This vulnerability underscores the ongoing challenges in securing network infrastructure, particularly components that handle user identification and authentication. The ability for unauthenticated network access to trigger such severe outcomes highlights the importance of robust network segmentation and strict access controls, even for internal services.

Synthesized by Vypr AI