Palo Alto Networks Patches Critical PAN-OS Vulnerability CVE-2024-3400 for RCE
Key Takeaways Palo Alto Networks has addressed a critical vulnerability, CVE-2026-0288, in its PAN-OS. The flaw, rated 9.2 CVSS-B, could enable unauthenticated remote code execution or...
Key Takeaways
- Palo Alto Networks has addressed a critical vulnerability, CVE-2026-0288, in its PAN-OS.
- The flaw, rated 9.2 CVSS-B, could enable unauthenticated remote code execution or denial-of-service.
- Affected systems include various PAN-OS branches and specific Prisma Access versions, but only if the User-ID Terminal Server Agent (TSA) is configured.
- Patches are available across multiple hotfix branches, and immediate application is strongly recommended.
- No active exploitation has been observed to date, but the vendor has assigned the highest urgency rating.
Palo Alto Networks PAN-OS Vulnerability Addressed
Palo Alto Networks has issued a critical security advisory concerning a severe vulnerability within its PAN-OS software. The flaw, identified as CVE-2026-0288, has the potential to allow threat actors to execute arbitrary code remotely or trigger a denial-of-service condition without requiring authentication, simply by sending specially crafted network traffic to susceptible devices.
Table Of Content
This high-severity issue has been assigned a CVSS-B score of 9.2 (HIGH, CVSS-BT: 7.2) and has received the highest urgency rating from the vendor. The core problem lies in multiple buffer overflow vulnerabilities within the User-ID Terminal Server Agent (TSA) component of PAN-OS.
Technical Details and Impact
Exploitation of CVE-2026-0288 is possible for an attacker with network access to the TSA IP address and port. No authentication or user interaction is required. Successful exploitation could lead to memory corruption, potentially resulting in remote code execution or a crash of the affected service. It is crucial to note that only devices with at least one Terminal Server Agent entry configured under Device > User Identification > Terminal Server Agents are vulnerable. Panorama appliances are not affected, nor is Cloud NGFW on AWS.
Affected Versions
The vulnerability impacts several PAN-OS branches, including:
- PAN-OS 12.1: versions prior to 12.1.4-h8, 12.1.7-h2, or 12.1.8
- PAN-OS 11.2: versions prior to 11.2.4-h20, 11.2.7-h18, 11.2.10-h12, or 11.2.13
- PAN-OS 11.1: versions prior to 11.1.4-h35 through 11.1.16 (encompassing multiple hotfix branches)
- PAN-OS 10.2: versions prior to 10.2.7-h36 through 10.2.18-h8
- Prisma Access 11.2.0 and 10.2.0 (rated MEDIUM severity for Prisma Access due to additional authentication requirements)
Palo Alto Networks notes that the overall risk severity depends significantly on exposure. Devices with TSA exposed to the internet or untrusted networks face the highest severity (CVSS-B 9.2). Conversely, systems where TSA access is restricted to trusted internal IP addresses experience a reduced risk, with a CVSS-B score of 7.7. The vendor has stated that, as of their advisory, they are unaware of any active exploitation attempts targeting this vulnerability.
Remediation and Mitigation
Palo Alto Networks strongly advises organizations to apply patches immediately across all affected branches. Specific fixed versions vary by minor release, and a comprehensive solution table is available in the official advisory. For Prisma Access customers, upgrades will be deployed during scheduled maintenance cycles, though on-demand upgrades can be requested via support channels.
As an immediate interim mitigation strategy, organizations should restrict User-ID Terminal Server Agent connectivity to only trusted internal IP addresses. This aligns with Palo Alto Networks’ best-practice deployment guidelines and significantly reduces the attack surface even before patches are fully applied.
The discovery of this vulnerability is credited to security researcher Liang Zhu. Given the unauthenticated, network-based attack vector, low complexity, and lack of required privileges, organizations with exposed TSA configurations must prioritize patching without delay.
What You Should Do
- Apply Patches Immediately: Upgrade all affected PAN-OS devices to the specified patched versions as soon as possible. Refer to the official Palo Alto Networks advisory for a complete list of fixed releases.
- Restrict TSA Access: Ensure that User-ID Terminal Server Agent connectivity is strictly limited to trusted internal IP addresses, adhering to Palo Alto Networks’ best practices.
- Monitor for Updates: Stay informed on any further advisories or updates from Palo Alto Networks regarding this vulnerability.
- Review Network Segmentation: Evaluate network segmentation strategies to minimize exposure of critical services like TSA to untrusted networks.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.