CVE-2026-0259 WildFire WF-500 and WF-500-B: Arbitrary File Read and Delete Vulnerability in WildFire Appliance (WF-500, WF-500-B)
Exploit Maturity
UNREPORTED
Response Effort
MODERATE
Recovery
USER
Value Density
CONCENTRATED
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Automatable
YES
User Interaction
NONE
Product Confidentiality
HIGH
Product Integrity
LOW
Product Availability
NONE
Privileges Required
LOW
Subsequent Confidentiality
NONE
Subsequent Integrity
NONE
Subsequent Availability
NONE
Description
An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire® WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode.
The WildFire Appliance (WF-500, WF-500-B) software update is now available to customers that use the WildFire Appliance (WF-500, WF-500-B) for on-premise sandboxing.
Please note that customers using the WildFire Public cloud service are NOT impacted by this vulnerability.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| WildFire WF-500 and WF-500-B 12.1.0 | < 12.1.4-h5 < 12.1.7 | >= 12.1.4-h5 >= 12.1.7 (ETA: 05/28) |
| WildFire WF-500 and WF-500-B 11.2.0 | < 11.2.4-h17 < 11.2.7-h13 < 11.2.10-h6 < 11.2.12 | >= 11.2.4-h17 (ETA: 05/28) >= 11.2.7-h13 >= 11.2.10-h6 >= 11.2.12 (ETA: 05/28) |
| WildFire WF-500 and WF-500-B 11.1.0 | < 11.1.4-h33 < 11.1.6-h32 < 11.1.7-h6 < 11.1.10-h25 < 11.1.13-h5 < 11.1.15 | >= 11.1.4-h33 >= 11.1.6-h32 >= 11.1.7-h6 (ETA: 05/28) >= 11.1.10-h25 >= 11.1.13-h5 >= 11.1.15 (ETA: 05/28) |
| WildFire WF-500 and WF-500-B 10.2.0 | < 10.2.7-h34 < 10.2.10-h36 < 10.2.13-h21 < 10.2.16-h7 < 10.2.18-h6 | >= 10.2.7-h34 (ETA: 05/28) >= 10.2.10-h36 >= 10.2.13-h21 (ETA: 05/28) >= 10.2.16-h7 (ETA: 05/28) >= 10.2.18-h6 |
Required Configuration for Exposure
No special configuration is required to be affected by this issue.
Severity: MEDIUM, Suggested Urgency: MODERATE
CVSS-BT: 5.0 / CVSS-B: 7.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:C/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-73 External Control of File Name or Path
CAPEC-597 Absolute Path Traversal
Solution
| Version | Minor Version Range | Suggested Solution |
|---|---|---|
| WildFire WF-500 and WF-500-B 12.1 | 12.1.5 through 12.1.6 | Upgrade to 12.1.7 or later. |
| 12.1.2 through 12.1.4-h* | Upgrade to 12.1.4-h5 or 12.1.7 or later. | |
| WildFire WF-500 and WF-500-B 11.2 | 11.2.11 or later | Upgrade to 11.2.12 or later. |
| 11.2.8 through 11.2.10-h* | Upgrade to 11.2.10-h6 or 11.2.12 or later. | |
| 11.2.5 through 11.2.7-h* | Upgrade to 11.2.7-h13 or 11.2.12 or later. | |
| 11.2.0 through 11.2.4-h* | Upgrade to 11.2.4-h17 or 11.2.12 or later. | |
| WildFire WF-500 and WF-500-B 11.1 | 11.1.14 or later | Upgrade to 11.1.15 or later. |
| 11.1.11 through 11.1.13-h* | Upgrade to 11.1.13-h5 or 11.1.15 or later. | |
| 11.1.8 through 11.1.10-h* | Upgrade to 11.1.10-h25 or 11.1.15 or later. | |
| 11.1.7 through 11.1.7-h* | Upgrade to 11.1.7-h6 or 11.1.15 or later. | |
| 11.1.5 through 11.1.6-h* | Upgrade to 11.1.6-h32 or 11.1.15 or later. | |
| 11.1.0 through 11.1.4-h* | Upgrade to 11.1.4-h33 or 11.1.15 or later. | |
| WildFire WF-500 and WF-500-B 10.2 | 10.2.17 through 10.2.18-h* | Upgrade to 10.2.18-h6 or later. |
| 10.2.14 through 10.2.16-h* | Upgrade to 10.2.16-h7 or 10.2.18-h6 or later. | |
| 10.2.11 through 10.2.13-h* | Upgrade to 10.2.13-h21 or 10.2.18-h6 or later. | |
| 10.2.8 through 10.2.10-h* | Upgrade to 10.2.10-h36 or 10.2.18-h6 or later. | |
| 10.2.0 through 10.2.7-h* | Upgrade to 10.2.7-h34 or 10.2.18-h6 or later. | |
| WildFire WF-500 and WF-500-B 10.1 | All (EoL) | No fix planned. Upgrade to a supported version. |
Workarounds and Mitigations
For airgapped deployments, we strongly recommend that you secure WildFire 500 appliances by restricting access to only trusted internal IP addresses.
Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510010 (from Applications and Threats content version 9100-10044 and later).
Please note that this Threat ID requires SSL Decryption.
Acknowledgments
Palo Alto Networks thanks our internal security research teams for discovering and reporting this issue.
CPE Applicability
- cpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.0 and up to (excluding)12.1.7
- ORcpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.4 and up to (excluding)12.1.4-h5
- ORcpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.0 and up to (excluding)11.2.12
- ORcpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.10 and up to (excluding)11.2.10-h6
- ORcpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.7 and up to (excluding)11.2.7-h13
- ORcpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.4 and up to (excluding)11.2.4-h17
- ORcpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.0 and up to (excluding)11.1.15
- ORcpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.13 and up to (excluding)11.1.13-h5
- ORcpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.10 and up to (excluding)11.1.10-h25
- ORcpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.7 and up to (excluding)11.1.7-h6
- ORcpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.6 and up to (excluding)11.1.6-h32
- ORcpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.4 and up to (excluding)11.1.4-h33
- ORcpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.18 and up to (excluding)10.2.18-h6
- ORcpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.16 and up to (excluding)10.2.16-h7
- ORcpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.13 and up to (excluding)10.2.13-h21
- ORcpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.10 and up to (excluding)10.2.10-h36
- ORcpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.7 and up to (excluding)10.2.7-h34
Timeline
Initial publication.