Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Amber
Primary rating from Vendor (palo_alto) · only source for this CVE.
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Amber
Lifecycle Timeline
4DescriptionCVE.org
An improper certificate validation vulnerability in the Palo Alto Networks Prisma SD-WAN ION enables man-in-the-middle (MitM) attacker to impersonate the controller.
AnalysisAI
Improper certificate validation in Palo Alto Networks Prisma SD-WAN ION allows an adjacent-network attacker positioned as a man-in-the-middle to impersonate the SD-WAN controller, achieving high confidentiality, integrity, and availability impact against the vulnerable device. Affected versions span three active release trains (6.3.x, 6.4.x, and 6.5.x), with fixed builds now available from Palo Alto Networks. No public exploit identified at time of analysis, and EPSS sits at 0.00%, but SSVC rates technical impact as total given the controller-impersonation capability.
Technical ContextAI
The vulnerability is rooted in CWE-295 (Improper Certificate Validation), meaning the Prisma SD-WAN ION device fails to adequately verify the authenticity of TLS/mTLS certificates presented by the SD-WAN controller during their control-plane communication. SD-WAN ION devices rely on a trust relationship with a centralized controller for policy, configuration, and orchestration; if that channel can be hijacked via a forged or otherwise unvalidated certificate, an adversary gains full authority over the device. The affected CPE is cpe:2.3:a:palo_alto_networks:prisma_sd-wan_ion:*:*:*:*:*:*:*:*, covering all build variants of ION software across the 6.3, 6.4, and 6.5 release lines prior to patched builds. The CVSS 4.0 vector specifies AV:A (Adjacent network) and AT:P (Attack Requirements: Present), confirming that exploitation depends on the attacker occupying a specific network-adjacent vantage point on the same segment or broadcast domain as the ION device.
RemediationAI
Upgrade Prisma SD-WAN ION to a fixed build: 6.3.6-b10 or later for the 6.3.x train, 6.4.3-b8 or later for the 6.4.x train, and 6.5.3-b15 or later for the 6.5.x train. Refer to the Palo Alto Networks security advisory at https://security.paloaltonetworks.com/CVE-2026-0244 for upgrade procedures and release notes. If immediate patching is not feasible, compensating controls should focus on restricting network-adjacent access to ION devices: isolate ION management and control-plane interfaces in dedicated VLANs with strict ACLs to prevent unauthorized hosts from occupying a position between the ION and its controller, and deploy network-level anomaly detection to alert on unexpected ARP or BGP path changes that could indicate MitM positioning. Note that these network-layer controls reduce attacker opportunity but do not address the underlying certificate validation defect and should be treated as temporary measures only.
More in Prisma Sd Wan Ion
View allSame weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30095
GHSA-9343-chmf-h73m