Palo Alto PAN-OS Vulnerability Allows Arbitrary Code Execution Through Malicious Network Traffic
Palo Alto Networks has disclosed a high-severity vulnerability in PAN-OS that could allow unauthenticated attackers to execute arbitrary code or trigger a denial-of-service (DoS) condition by sending specially crafted network traffic.
Tracked as CVE-2026-0288, the flaw carries a CVSS-B score of 9.2 (HIGH, CVSS-BT: 7.2) and has been assigned the HIGHEST urgency rating by the vendor.
The issue stems from multiple buffer overflow vulnerabilities in the User-ID Terminal Server Agent (TSA) component of PAN-OS. An attacker with network access to the TSA IP and port requiring no authentication or user interaction can exploit the flaw to corrupt memory, potentially achieving remote code execution or crashing the affected service.
The vulnerability only affects devices with at least one Terminal Server Agent entry configured, found under Device > User Identification > Terminal Server Agents. Notably, Panorama is not impacted, and Cloud NGFW on AWS remains unaffected.
Palo Alto Networks PAN-OS Vulnerability
The flaw spans multiple PAN-OS branches:
- PAN-OS 12.1: versions before 12.1.4-h8, 12.1.7-h2, or 12.1.8
- PAN-OS 11.2: versions before 11.2.4-h20, 11.2.7-h18, 11.2.10-h12, or 11.2.13
- PAN-OS 11.1: versions before 11.1.4-h35 through 11.1.16 (multiple hotfix branches)
- PAN-OS 10.2: versions before 10.2.7-h36 through 10.2.18-h8
- Prisma Access 11.2.0 and 10.2.0 (rated MEDIUM severity due to authentication requirements)
Palo Alto Networks notes that risk severity varies by exposure. Devices with TSA exposed to the internet or untrusted networks face the HIGH severity rating (CVSS-B 9.2), while those restricting TSA access to trusted internal IPs see reduced risk (CVSS-B 7.7). The vendor states it is not aware of any active exploitation of this vulnerability at this time.
Palo Alto Networks urges immediate patching across all affected branches, with specific fixed versions varying by minor release (see full solution table in the advisory).
For Prisma Access customers, upgrades will roll out during scheduled maintenance cycles, though on-demand upgrades can be requested through support.
As an interim mitigation, organizations should restrict User-ID Terminal Server Agent connectivity to trusted internal IP addresses only, in accordance with Palo Alto Networks’ best-practice deployment guidelines. This significantly reduces the attack surface even before patches are applied.
The vulnerability was responsibly disclosed by security researcher Liang Zhu, credited by Palo Alto Networks for the discovery. Given the network-based attack vector, low complexity, and lack of required privileges, organizations running exposed TSA configurations should prioritize patching immediately.
Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide
The post Palo Alto PAN-OS Vulnerability Allows Arbitrary Code Execution Through Malicious Network Traffic appeared first on Cyber Security News.
Guru Baran
Go to cyber-security-news