Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
WARNING: Multiple Vulnerabilities in Palo Alto Networks PAN-OS Can Be Exploited to Bypass Authentication Controls, Execute Arbitrary Code, or Cause a Denial of Service. Patch Immediately!
Image
Veröffentlicht : 18/05/2026
- Last update: 18/05/2026
- Affected software: Palo Alto Networks PAN-OS versions 10.2.x, 11.1.x, 11.2.x, and 12.1.x
- Type:
→ CWE-347: Improper Verification of Cryptographic Signature
→ CWE-122: Heap-based Buffer Overflow
→ CWE-120: Buffer Copy without Checking Size of Input- CVE/CVSS
→ CVE-2026-0265: 7.2 (CVSS:4.0/ AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Red)
→ CVE-2026-0264 7.2 (CVSS:4.0/ AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:U/AU:Y/R:U/V:C/RE:H/U:Red)
→ CVE-2026-0263 7.2 (CVSS:4.0/ AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:U/AU:Y/R:U/V:C/RE:H/U:Red)
Sources
Palo Alto - https://security.paloaltonetworks.com/CVE-2026-0265
Palo Alto - https://security.paloaltonetworks.com/CVE-2026-0264
Palo Alto - https://security.paloaltonetworks.com/CVE-2026-0263
Risks
Palo Alto Networks PAN-OS is the operating system running on Palo Alto Networks firewalls and Panorama management platforms, widely deployed as enterprise network security gateways and VPN endpoints.
If exploited, these vulnerabilities could allow an unauthenticated remote attacker to bypass authentication controls on affected firewalls or Panorama instances, execute arbitrary code with elevated privileges, or cause a denial of service condition. Successful exploitation may result in unauthorized access to sensitive network data and device configurations (Confidentiality), unauthorized modification of firewall policies and security rules (Integrity), and disruption of network security and VPN services (Availability).
Description
CVE-2026-0265 is caused by improper verification of cryptographic signatures in PAN-OS. When an authentication profile using Cloud Authentication Service (CAS) is enabled and attached to a login interface, an unauthenticated attacker with network access can bypass authentication controls on the affected device. Risk is highest when CAS is configured on the management interface and that interface is externally reachable.
CVE-2026-0264 is a heap-based buffer overflow in the DNS Proxy and DNS Server features of PAN-OS. An unauthenticated attacker with network access can send specially crafted DNS traffic to trigger the overflow. On PA-Series hardware firewalls, this may result in arbitrary code execution. On VM-Series firewalls, exploitation is limited to a denial of service condition.
CVE-2026-0263 is a buffer overflow in the IKEv2 processing component of PAN-OS. An unauthenticated attacker with network access can exploit this flaw to execute arbitrary code with elevated privileges or cause a denial of service condition. The vulnerability is only triggered when IKEv2 VPN tunnels are configured using Post Quantum Cryptography (PQC) ciphers that are not NIST-approved.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-0265
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-0264
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-0263