Published on July 10, 2026
Palo Alto PAN-OS Vulnerability Allows Arbitrary Code Execution Through Malicious Network Traffic
Severity
High
Detail
Palo Alto Networks has released security updates to address a high-severity vulnerability in PAN-OS that could allow unauthenticated attackers to execute arbitrary code or cause a denial-of-service (DoS) condition by sending specially crafted network traffic. The vulnerability tracked as CVE-2026-0288 affects the User-ID Terminal Server Agent (TSA) component in PAN-OS and is caused by multiple buffer overflow vulnerabilities.
An attacker with network access to the configured TSA IP address and port can exploit the flaw without requiring authentication or user interaction, potentially resulting in remote code execution or service disruption. The issue only affects devices with at least one Terminal Server Agent entry configured under Device > User Identification > Terminal Server Agents. Panorama and Cloud NGFW on AWS are not affected.
At the time of publication, there is no evidence of active exploitation of this vulnerability. However, organizations with TSA services exposed to the internet or untrusted networks are at the highest risk and should apply the appropriate security updates immediately.
| CVE ID | Summary | CVSS Score |
| CVE-2026-0288 | Multiple buffer overflow vulnerabilities in the PAN-OS User-ID TSA allow unauthenticated attackers to execute arbitrary code or trigger a DoS condition via specially crafted network traffic. | 9.2 (High) |
Affected Products
The vulnerability affects the following PAN-OS versions with TSA configured:
- PAN-OS 12.1 versions prior to 12.1.4-h8, 12.1.7-h2, or 12.1.8.
- PAN-OS 11.2 versions prior to 11.2.4-h20, 11.2.7-h18, 11.2.10-h12, or 11.2.13.
- PAN-OS 11.1 versions prior to 11.1.16 (including affected hotfix branches).
- PAN-OS 10.2 versions prior to 10.2.18-h8 (including affected hotfix branches).
- Prisma Access 11.2.0 and 10.2.0 (Medium severity due to authentication requirements).
Recommendation
Organizations using affected PAN-OS versions should take the following actions immediately:
- Immediately upgrade PAN-OS to the fixed version applicable to the deployed release branch.
- Prioritize patch deployment on internet-facing firewalls or systems with TSA enabled.
- Restrict TSA connectivity to trusted internal IP addresses only until patches can be applied.
- Verify that unnecessary TSA configurations are removed or disabled if not required.
Source
https://cybersecuritynews.com/palo-alto-networks-pan-os-vulnerability/
