Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Primary rating from Vendor (palo_alto) · only source for this CVE.
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Lifecycle Timeline
3DescriptionCVE.org
An information disclosure vulnerability in Trust Protection Foundation enables an authenticated attacker to obtain sensitive information from the server's vault. Successful exploitation of this issue allows the attacker to impersonate any user within the environment and arbitrarily modify configuration settings.
AnalysisAI
Sensitive vault credential disclosure in Palo Alto Networks Trust Protection Foundation allows an authenticated, adjacent-network attacker with low privileges to read secrets from the server's underlying vault (indicated by the HashiCorp tag), then leverage those secrets to impersonate any user in the environment and arbitrarily modify platform configuration. Affected across four active release branches (24.1.x, 24.3.x, 25.1.x, 25.3.x), with fixed versions available from the vendor. No public exploit code exists and CISA has not listed this in KEV; EPSS exploitation probability is 0.01%, reflecting low current threat activity.
Technical ContextAI
Trust Protection Foundation (CPE: cpe:2.3:a:palo_alto_networks:trust_protection_foundation) is Palo Alto Networks' certificate lifecycle and secrets management platform. The 'Hashicorp' tag in the intelligence record strongly indicates the affected vault component integrates with HashiCorp Vault for storing sensitive credentials, API keys, or certificate private keys. The root cause is CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), meaning the application improperly exposes privileged internal data - vault secrets - to a principal (a low-privileged authenticated user) who should not have access to that data tier. The CVSS 4.0 vector AV:A restricts the attack surface to adjacent network segments (e.g., same VLAN or subnet), and AT:P signals that a passive prerequisite condition must exist for exploitation, though the specific triggering condition is not detailed in the public description. The high Confidentiality (VC:H) and Integrity (VI:H) impact on the vulnerable component reflects that vault secret extraction directly enables credential-based lateral movement and configuration tampering.
RemediationAI
The primary remediation is to upgrade to a fixed release on the appropriate branch: 25.3.3 (for the 25.3.x train), 24.1.13 (for 24.1.x), 25.1.8 (for 25.1.x), or 24.3.6 (for 24.3.x), as confirmed by EUVD-2026-30092 and the Palo Alto Networks advisory at https://security.paloaltonetworks.com/CVE-2026-0240. If immediate patching is not feasible, organizations should enforce network segmentation to ensure Trust Protection Foundation management interfaces are accessible only from dedicated administrator workstations and not from general user VLANs - this directly targets the AV:A attack vector. Additionally, audit and restrict low-privilege account access to vault-adjacent API endpoints; removing unnecessary accounts reduces the PR:L attack surface. Rotating vault secrets after patching is strongly recommended if any low-privileged accounts accessed vault APIs prior to the upgrade, given that secret exfiltration may have occurred silently. Note that network segmentation alone does not eliminate risk if internal trusted-network compromise is already in scope for your threat model.
More in Trust Protection Foundation
View allSQL injection in Palo Alto Networks Trust Protection Foundation exposes the platform database to arbitrary command execu
Incorrect Authorization in Palo Alto Networks Trust Protection Foundation allows adjacent-network unauthenticated attack
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30092
GHSA-6354-6hwj-cjvq