Skip to main content

Prisma SD-WAN ION EUVDEUVD-2026-30095

| CVE-2026-0244 MEDIUM
Improper Certificate Validation (CWE-295)
2026-05-13 palo_alto GHSA-9343-chmf-h73m
5.2
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
5.2 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Amber

Primary rating from Vendor (palo_alto) · only source for this CVE.

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Amber
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 11:02 vuln.today
Patch available
May 13, 2026 - 20:02 EUVD
CVSS changed
May 13, 2026 - 19:22 NVD
5.2 (MEDIUM)
CVE Published
May 13, 2026 - 19:03 nvd
MEDIUM 5.2

DescriptionCVE.org

An improper certificate validation vulnerability in the Palo Alto Networks Prisma SD-WAN ION enables man-in-the-middle (MitM) attacker to impersonate the controller.

AnalysisAI

Improper certificate validation in Palo Alto Networks Prisma SD-WAN ION allows an adjacent-network attacker positioned as a man-in-the-middle to impersonate the SD-WAN controller, achieving high confidentiality, integrity, and availability impact against the vulnerable device. Affected versions span three active release trains (6.3.x, 6.4.x, and 6.5.x), with fixed builds now available from Palo Alto Networks. No public exploit identified at time of analysis, and EPSS sits at 0.00%, but SSVC rates technical impact as total given the controller-impersonation capability.

Technical ContextAI

The vulnerability is rooted in CWE-295 (Improper Certificate Validation), meaning the Prisma SD-WAN ION device fails to adequately verify the authenticity of TLS/mTLS certificates presented by the SD-WAN controller during their control-plane communication. SD-WAN ION devices rely on a trust relationship with a centralized controller for policy, configuration, and orchestration; if that channel can be hijacked via a forged or otherwise unvalidated certificate, an adversary gains full authority over the device. The affected CPE is cpe:2.3:a:palo_alto_networks:prisma_sd-wan_ion:*:*:*:*:*:*:*:*, covering all build variants of ION software across the 6.3, 6.4, and 6.5 release lines prior to patched builds. The CVSS 4.0 vector specifies AV:A (Adjacent network) and AT:P (Attack Requirements: Present), confirming that exploitation depends on the attacker occupying a specific network-adjacent vantage point on the same segment or broadcast domain as the ION device.

RemediationAI

Upgrade Prisma SD-WAN ION to a fixed build: 6.3.6-b10 or later for the 6.3.x train, 6.4.3-b8 or later for the 6.4.x train, and 6.5.3-b15 or later for the 6.5.x train. Refer to the Palo Alto Networks security advisory at https://security.paloaltonetworks.com/CVE-2026-0244 for upgrade procedures and release notes. If immediate patching is not feasible, compensating controls should focus on restricting network-adjacent access to ION devices: isolate ION management and control-plane interfaces in dedicated VLANs with strict ACLs to prevent unauthorized hosts from occupying a position between the ION and its controller, and deploy network-level anomaly detection to alert on unexpected ARP or BGP path changes that could indicate MitM positioning. Note that these network-layer controls reduce attacker opportunity but do not address the underlying certificate validation defect and should be treated as temporary measures only.

Share

EUVD-2026-30095 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy