Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Amber
Primary rating from Vendor (palo_alto) · only source for this CVE.
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Amber
Lifecycle Timeline
4DescriptionCVE.org
A denial of service (DoS) vulnerability in Palo Alto Networks Prisma SD-WAN ION devices enables an unauthenticated attacker in a network adjacent to a Prisma SD-WAN ION device to cause a system disruption by sending a specially crafted IPv6 packet.
AnalysisAI
Denial of service in Palo Alto Networks Prisma SD-WAN ION devices allows an unauthenticated attacker with adjacent network access to crash or disrupt the device by sending a specially crafted IPv6 packet. The vulnerability (CWE-606) exists across three active release branches of the ION software, with fixed versions available from Palo Alto Networks. No public exploit code exists and no active exploitation has been identified at time of analysis, with EPSS at 0.03% and SSVC confirming exploitation status as none.
Technical ContextAI
Prisma SD-WAN ION devices are physical or virtual network appliances used in Palo Alto Networks' SD-WAN fabric for branch connectivity and traffic management. The root cause is CWE-606 (Unchecked Input for Loop Condition), meaning the IPv6 packet processing code fails to validate input before using it to control a loop - a crafted packet can cause an unbounded or abnormally large loop iteration, exhausting CPU or memory resources and triggering a system disruption. The affected CPE is cpe:2.3:a:palo_alto_networks:prisma_sd-wan_ion:*:*:*:*:*:*:*:*, covering all sub-versions of the 6.3, 6.4, and 6.5 release branches below their respective fix thresholds. The CVSS 4.0 vector (AV:A) confirms exploitation requires adjacent network positioning, meaning the attacker must be on the same network segment, VLAN, or directly connected link as the ION device.
RemediationAI
The primary fix is to upgrade affected ION devices to a patched software version: 25.3.3 or later for the 6.5.0 branch, 25.1.8 or later for the 6.4.0 branch, or 24.3.6 or later for the 6.3.0 branch, as confirmed by EUVD-2026-30135 and the Palo Alto advisory at https://security.paloaltonetworks.com/CVE-2026-0243. As a compensating control prior to patching, network administrators should restrict adjacent network access to ION device management and data-plane interfaces by implementing strict ACLs or 802.1Q VLAN segmentation to ensure only authorized devices share the same Layer 2 segment. If IPv6 is not operationally required in the deployment, disabling IPv6 on affected ION interfaces would eliminate the attack surface for this specific vulnerability, though this may impact IPv6-dependent SD-WAN features and should be validated in a non-production environment first. Recovery from exploitation requires manual intervention (R:U per CVSS supplemental), so organizations should also ensure monitoring and alerting are in place for ION device availability anomalies to reduce mean time to detect.
More in Prisma Sd Wan Ion
View allSame weakness CWE-606 – Unchecked Input for Loop Condition
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30135
GHSA-j263-ghj6-w2q7