Skip to main content

Prisma SD-WAN ION CVE-2026-0243

| EUVDEUVD-2026-30135 MEDIUM
Unchecked Input for Loop Condition (CWE-606)
2026-05-13 palo_alto GHSA-j263-ghj6-w2q7
4.9
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
4.9 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Amber

Primary rating from Vendor (palo_alto) · only source for this CVE.

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Amber
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 11:04 vuln.today
Patch available
May 13, 2026 - 21:02 EUVD
CVSS changed
May 13, 2026 - 20:22 NVD
4.9 (MEDIUM)
CVE Published
May 13, 2026 - 19:10 nvd
MEDIUM 4.9

DescriptionCVE.org

A denial of service (DoS) vulnerability in Palo Alto Networks Prisma SD-WAN ION devices enables an unauthenticated attacker in a network adjacent to a Prisma SD-WAN ION device to cause a system disruption by sending a specially crafted IPv6 packet.

AnalysisAI

Denial of service in Palo Alto Networks Prisma SD-WAN ION devices allows an unauthenticated attacker with adjacent network access to crash or disrupt the device by sending a specially crafted IPv6 packet. The vulnerability (CWE-606) exists across three active release branches of the ION software, with fixed versions available from Palo Alto Networks. No public exploit code exists and no active exploitation has been identified at time of analysis, with EPSS at 0.03% and SSVC confirming exploitation status as none.

Technical ContextAI

Prisma SD-WAN ION devices are physical or virtual network appliances used in Palo Alto Networks' SD-WAN fabric for branch connectivity and traffic management. The root cause is CWE-606 (Unchecked Input for Loop Condition), meaning the IPv6 packet processing code fails to validate input before using it to control a loop - a crafted packet can cause an unbounded or abnormally large loop iteration, exhausting CPU or memory resources and triggering a system disruption. The affected CPE is cpe:2.3:a:palo_alto_networks:prisma_sd-wan_ion:*:*:*:*:*:*:*:*, covering all sub-versions of the 6.3, 6.4, and 6.5 release branches below their respective fix thresholds. The CVSS 4.0 vector (AV:A) confirms exploitation requires adjacent network positioning, meaning the attacker must be on the same network segment, VLAN, or directly connected link as the ION device.

RemediationAI

The primary fix is to upgrade affected ION devices to a patched software version: 25.3.3 or later for the 6.5.0 branch, 25.1.8 or later for the 6.4.0 branch, or 24.3.6 or later for the 6.3.0 branch, as confirmed by EUVD-2026-30135 and the Palo Alto advisory at https://security.paloaltonetworks.com/CVE-2026-0243. As a compensating control prior to patching, network administrators should restrict adjacent network access to ION device management and data-plane interfaces by implementing strict ACLs or 802.1Q VLAN segmentation to ensure only authorized devices share the same Layer 2 segment. If IPv6 is not operationally required in the deployment, disabling IPv6 on affected ION interfaces would eliminate the attack surface for this specific vulnerability, though this may impact IPv6-dependent SD-WAN features and should be validated in a non-production environment first. Recovery from exploitation requires manual intervention (R:U per CVSS supplemental), so organizations should also ensure monitoring and alerting are in place for ION device availability anomalies to reduce mean time to detect.

Share

CVE-2026-0243 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy