Palo Alto Patches CVSS 9.2 Buffer Overflow, Warns of Auth Bypass Exploitation
Palo Alto Networks addresses 13 PAN-OS vulnerabilities including CVE-2026-0288 (CVSS 9.2) buffer overflow and CVE-2026-0257 auth bypass under active exploitation by unknown threat actors.
Palo Alto Networks released security advisories on July 8, 2026, addressing 13 vulnerabilities across its PAN-OS firewall software, including a high-severity buffer overflow rated CVSS 9.2 that could allow unauthenticated attackers to crash devices or potentially execute arbitrary code.
Separately, Unit 42 published a threat brief warning that an unknown threat actor is actively exploiting a different PAN-OS vulnerability, CVE-2026-0257, an authentication bypass affecting GlobalProtect portal and gateway components. The disclosure follows a pattern of Palo Alto vulnerabilities drawing attacker attention that we've documented throughout 2026.
Critical Buffer Overflow: CVE-2026-0288
The most severe flaw in the batch, CVE-2026-0288, affects the User-ID Terminal Server Agent (TSA) component. An attacker with network access to the TSA IP and port can trigger multiple buffer overflow conditions without authentication or user interaction.
Successful exploitation corrupts memory and could allow remote code execution or denial of service against the firewall. Palo Alto assigned its "HIGHEST" urgency rating to this vulnerability.
Affected Versions
The buffer overflow impacts:
- PAN-OS 12.1 (prior to 12.1.5)
- PAN-OS 11.2 (prior to 11.2.7)
- PAN-OS 11.1 (prior to 11.1.8)
- PAN-OS 10.2 (prior to 10.2.15)
Only devices with at least one Terminal Server Agent entry configured under Device > User Identification > Terminal Server Agents are vulnerable. Organizations not using the TSA feature are unaffected.
Interim Mitigation
Until patches can be applied, Palo Alto recommends restricting User-ID Terminal Server Agent connectivity to trusted internal IP addresses only, following the vendor's best-practice deployment guidelines.
Active Exploitation of CVE-2026-0257
The authentication bypass in GlobalProtect represents a more immediate threat. Unit 42 confirmed that attackers are actively probing vulnerable systems, though the campaign has achieved limited success so far.
"This security flaw involves an authentication bypass in the portal and gateway components of vulnerable versions of PAN-OS software, which could allow unauthorized attackers to circumvent security controls and initiate VPN connections," Unit 42 researchers wrote in their threat brief.
The unidentified threat actor uses suspicious MAC addresses and hostnames that appear fabricated, suggesting automated reconnaissance. Unit 42 shared indicators of compromise including:
Suspicious IP addresses:
- 23.128.228[.]6
- 104.207.144[.]154
- 146.19.216[.]119-120
- 146.19.216[.]125
- 179.43.172[.]213
- 185.195.232[.]139
Suspicious client identifiers:
- MAC addresses: aa:bb:cc:dd:ee:ff, 00:11:22:33:44:55
- Hostnames: WINDOWS-LAPTOP-001, DESKTOP-GP01, GP-CLIENT
Other Notable Patches
The July 8 advisory batch addresses several additional flaws across PAN-OS and Prisma Access Agent. Among them, CVE-2026-0287 involves denial-of-service vulnerabilities in network traffic processing that could interrupt firewall operations.
Palo Alto stated it is not aware of active exploitation for CVE-2026-0288 or most other patched vulnerabilities—CVE-2026-0257 being the exception.
Why This Matters
Palo Alto firewalls sit at network perimeters protecting some of the world's largest enterprises. A vulnerability enabling unauthenticated code execution or VPN bypass represents a direct path into corporate networks.
The active exploitation of CVE-2026-0257 demonstrates that threat actors monitor security advisories closely and move quickly against high-value targets. Even with limited initial success, the reconnaissance activity indicates ongoing interest in compromising GlobalProtect deployments. Similar patterns emerged during the Fortinet FortiGate exploitation campaigns earlier this year.
Organizations running Palo Alto equipment should review the full advisory list at security.paloaltonetworks.com and prioritize patching based on their deployment configuration.
Recommended Actions
- Identify exposure - Determine if your PAN-OS devices have TSA configured or run GlobalProtect services
- Apply patches - Update to the fixed versions listed in each security advisory
- Restrict access - Limit TSA and management interfaces to trusted internal networks
- Hunt for IOCs - Search GlobalProtect logs for the suspicious identifiers Unit 42 published
- Monitor authentication - Watch for unusual VPN connection attempts or failed authentication spikes
Security teams should also consider this advisory batch when planning for Microsoft's upcoming July 14 Patch Tuesday, which will include Kerberos RC4 enforcement changes that could affect authentication across domain environments.
Related Articles
Palo Alto GlobalProtect Auth Bypass Under Active Attack — CISA KEV
CVE-2026-0257 lets attackers forge VPN cookies to access internal networks without credentials. CISA adds to KEV after Rapid7 confirms exploitation since May 17. Federal deadline June 19.
May 30, 2026Palo Alto Patches GlobalProtect DoS Flaw With Public PoC
CVE-2026-0227 allows unauthenticated attackers to crash firewalls via malformed packets. Proof-of-concept code is publicly available.
Jan 15, 2026Palo Alto Firewalls Under Active Attack via Root-Level RCE Flaw
CVE-2026-0300 allows unauthenticated attackers to execute code as root on PA-Series and VM-Series firewalls. Patches coming May 13—here's how to mitigate now.
May 6, 2026Telnetd Flaw Lets Attackers Get Root Before Login Prompt
CVE-2026-32746 (CVSS 9.8) in GNU InetUtils telnetd enables unauthenticated root RCE via buffer overflow. FreeBSD, NetBSD, Citrix NetScaler affected.
Apr 1, 2026