CVE-2026-0288 PAN-OS: Buffer Overflow Vulnerabilities in User-ID Terminal Server Agent
Description
Multiple buffer overflow vulnerabilities in the User-ID Terminal Server Agent (TSA) component of Palo Alto Networks PAN-OS software allow an unauthenticated attacker with network access to cause a denial of service (DoS) condition or potentially execute arbitrary code by sending specially crafted network traffic.
The security risk posed by this issue is minimized when the User-ID Terminal Server Agent connectivity is restricted to only trusted internal IP addresses according to our recommended best practice deployment guidelines.
Panorama is not impacted by this vulnerability.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None on AWS None on Azure | All on AWS All on Azure unless you have been contacted by Palo Alto Networks |
| PAN-OS 12.1 | < 12.1.4-h8 < 12.1.7-h2 < 12.1.8 | >= 12.1.4-h8 >= 12.1.7-h2 >= 12.1.8 |
| PAN-OS 11.2 | < 11.2.4-h20 < 11.2.7-h18 < 11.2.10-h12 < 11.2.13 | >= 11.2.4-h20 >= 11.2.7-h18 >= 11.2.10-h12 >= 11.2.13 |
| PAN-OS 11.1 | < 11.1.4-h35 < 11.1.6-h35 < 11.1.7-h8 < 11.1.10-h30 < 11.1.13-h9 < 11.1.16 | >= 11.1.4-h35 >= 11.1.6-h35 >= 11.1.7-h8 >= 11.1.10-h30 >= 11.1.13-h9 >= 11.1.16 |
| PAN-OS 10.2 | < 10.2.7-h36 < 10.2.10-h39 < 10.2.13-h23 < 10.2.16-h9 < 10.2.18-h8 | >= 10.2.7-h36 >= 10.2.10-h39 >= 10.2.13-h23 >= 10.2.16-h9 >= 10.2.18-h8 |
| Prisma Access 11.2.0 | < 11.2.7-h18* | >= 11.2.7-h18* |
| Prisma Access 10.2.0 | < 10.2.10-h39* | >= 10.2.10-h39* |
Required Configuration for Exposure
This issue only affects PAN-OS devices with at least one Terminal Server Agent (TSA) entry configured
To check if a PAN-OS device has a Terminal Server Agent configured, navigate to:
Device > User Identification > Terminal Server Agents
Severity: HIGH, Suggested Urgency: HIGHEST
The risk is highest when you configure the User-ID Terminal Server Agent (TSA) IP and port access from the Internet or any untrusted network.
HIGH
- CVSS-BT: 7.2 /CVSS-B: 9.2 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:U/AU:N/R:U/V:D/RE:M/U:Red)
You can reduce the risk of exploitation by restricting User-ID Terminal Server Agent (TSA) IP and port access to only trusted internal IP addresses and preventing its exposure to the internet.
MEDIUM
- CVSS-BT: 5.2 /CVSS-B: 7.7 (CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
The risk of exploitation is lower for Prisma Access as it requires an authenticated user and the external network access to the User-ID Terminal Server Agent (TSA) IP and port is restricted.
MEDIUM
- CVSS-BT: 4.8 /CVSS-B: 7.5 (CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of these issues.
Weakness Type and Impact
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| Cloud NGFW | No action needed. | |
| PAN-OS 12.1 |
12.1.5 through 12.1.7-h* | Upgrade to 12.1.7-h2 or 12.1.8 or later. |
| 12.1.2 through 12.1.4-h* | Upgrade to 12.1.4-h8 or 12.1.8 or later. | |
| PAN-OS 11.2 |
11.2.0 through 11.2.12 | Upgrade to 11.2.13 or later. |
| 11.2.0 through 11.2.10-h* | Upgrade to 11.2.10-h12 or 11.2.13 or later. | |
| 11.2.0 through 11.2.7-h* | Upgrade to 11.2.7-h18 or 11.2.13 or later. | |
| 11.2.0 through 11.2.4-h* | Upgrade to 11.2.4-h20 or 11.2.13 or later. | |
| PAN-OS 11.1 |
11.1.0 through 11.1.15 | Upgrade to 11.1.16 or later. |
| 11.1.0 through 11.1.13-h* | Upgrade to 11.1.13-h9 or 11.1.16 or later. | |
| 11.1.0 through 11.1.10-h* | Upgrade to 11.1.10-h30 or 11.1.16 or later. | |
| 11.1.0 through 11.1.7-h* | Upgrade to 11.1.7-h8 or 11.1.16 or later. | |
| 11.1.0 through 11.1.6-h* | Upgrade to 11.1.6-h35 or 11.1.16 or later. | |
| 11.1.0 through 11.1.4-h* | Upgrade to 11.1.4-h35 or 11.1.16 or later. | |
| PAN-OS 10.2 |
10.2.0 through 10.2.18-h* | Upgrade to 10.2.18-h8 or later. |
| 10.2.0 through 10.2.16-h* | Upgrade to 10.2.16-h9 or later. | |
| 10.2.0 through 10.2.13-h* | Upgrade to 10.2.13-h23 or later. |
|
| 10.2.0 through 10.2.10-h* | Upgrade to 10.2.10-h39 or later. |
|
| 10.2.0 through 10.2.7-h* | Upgrade to 10.2.7-h36 or later. |
|
| All older unsupported PAN-OS versions | Upgrade to a supported fixed version. | |
| Prisma Access 11.2 |
11.2.0 through 11.2.7 | Upgrade to 11.2.7-h18 or later.* |
| Prisma Access 10.2 |
10.2.0 through 10.2.10 | Upgrade to 10.2.10-h39 or later.* |
* See the note under Product Status for information regarding Prisma Access upgrades.
Workarounds and Mitigations
The vast majority of firewalls already follow Palo Alto Networks' and industry best practices. However, if you have not already, we strongly recommend that you restrict your User-ID Terminal Server Agent connectivity to only trusted internal IP addresses according to our best practice deployment guidelines
Acknowledgments
CPEs
cpe:2.3:o:palo_alto_networks:pan-os:12.1.7:h1:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.7:-:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.6:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.5:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h7:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h6:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h5:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h3:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h2:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:-:*:*:*:*:*:*
CPE Applicability
- cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.0 and up to (excluding)12.1.8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.7 and up to (excluding)12.1.7-h2
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.4 and up to (excluding)12.1.4-h8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.0 and up to (excluding)11.2.13
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.10 and up to (excluding)11.2.10-h12
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.7 and up to (excluding)11.2.7-h18
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.4 and up to (excluding)11.2.4-h20
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.0 and up to (excluding)11.1.16
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.13 and up to (excluding)11.1.13-h9
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.10 and up to (excluding)11.1.10-h30
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.7 and up to (excluding)11.1.7-h8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.6 and up to (excluding)11.1.6-h35
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.4 and up to (excluding)11.1.4-h35
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.18 and up to (excluding)10.2.18-h8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.16 and up to (excluding)10.2.16-h9
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.13 and up to (excluding)10.2.13-h23
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.10 and up to (excluding)10.2.10-h39
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.7 and up to (excluding)10.2.7-h36
- or
- cpe:2.3:o:palo_alto_networks:prisma_access:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.7 and up to (excluding)11.2.7-h18
- ORcpe:2.3:o:palo_alto_networks:prisma_access:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.10 and up to (excluding)10.2.10-h39