CVE-2026-0288: PAN-OS TSA Buffer Overflows Score CVSS 9.2

PAN-OS CVE-2026-0288 Terminal Server Agent buffer overflow vulnerability advisory patch required

A single crafted network request can transform a Palo Alto Networks firewall from a security boundary into an entry point. A vulnerability in PAN-OS allows a remote, unauthenticated attacker to disrupt device operation and potentially execute arbitrary code. Palo Alto Networks has published the full CVE-2026-0288 security advisory with patch details and mitigations.

What Is CVE-2026-0288?

The flaw is tracked as CVE-2026-0288. It affects the User-ID Terminal Server Agent component, commonly abbreviated as TSA. Multiple buffer overflows can corrupt memory during the processing of malicious network traffic. An attacker needs only network access to the TSA address and port. No credentials or user interaction are required.

Severity and Risk Factors

Palo Alto Networks has assigned the vulnerability a high severity rating and the highest urgency for remediation. The base CVSS 4.0 score reaches 9.2, while the threat-adjusted score sits at 7.2. Systems at greatest risk expose the Terminal Server Agent port to the internet. Those with TSA accessible from untrusted networks are also at elevated risk.

Which Deployments Are Affected?

Only devices with at least one Terminal Server Agent entry configured are vulnerable. Administrators can verify their configuration under Device, User Identification, Terminal Server Agents. The Panorama centralized management platform is not affected. Cloud NGFW deployments in AWS also do not require patching. Owners of Azure deployments should consult Palo Alto Networks notifications for their specific guidance.

Affected Versions

The vulnerability affects multiple releases across PAN-OS 10.2, 11.1, 11.2, and 12.1, as well as Prisma Access 10.2 and 11.2. Palo Alto Networks has already released patched builds. The correct version depends on the specific branch and installed hotfix package. For older, unsupported versions, the vendor recommends migrating to a current, protected release. Prisma Access customers will receive the update during the next scheduled maintenance window. Early deployment can be requested through the support channel.

Immediate Mitigations While Patching

Until the patch is installed, Palo Alto Networks advises restricting Terminal Server Agent connections to trusted internal IP addresses only. Administrators should also block the corresponding port from internet-facing interfaces. These measures substantially reduce the attack surface, though they do not substitute for installing the fix.

Exploitation Status and Discovery

At the time of publication, Palo Alto Networks has found no evidence of CVE-2026-0288 being exploited in active attacks. Researcher Liang Zhu discovered the vulnerability and reported it to the vendor.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Leave a Reply