An improper certificate validation flaw in PAN-OS allows an attacker to connect Terminal Server Agents (TSAs) on Windows to the firewall by presenting an expired certificate, even when the firewall configuration would normally block such a connection. Because the system fails to enforce certificate validity, an attacker could establish a privileged remote session and potentially intercept or modify management traffic. The issue stems from a missing check for certificate expiration, a classic improper certificate validation weakness (CWE‑295).

The vulnerability affects a wide range of Palo Alto Networks products: Cloud NGFW, PAN‑OS, and Prisma Access. All PAN‑OS releases prior to 12.1 are impacted, including 10.2.0‑10.2.16, 11.1.0‑11.1.10, and 11.2.0‑11.2.7. Upgrade guidance is as follows—PAN‑OS 10.2 should be updated to 10.2.17 or newer, PAN‑OS 11.1 to 11.1.11 or newer, and PAN‑OS 11.2 to 11.2.8 or newer. For Prisma Access deployments, 11.2 on PAN‑OS requires patch 11.2.7‑h10 or later, and 10.2 on PAN‑OS requires patch 10.2.10‑h28 or later. Cloud NGFW does not require action.

The CVSS score is 1.3, indicating very low severity, and the EPSS score is below 1 %, implying a negligible likelihood of exploitation at present. The flaw is not listed in the CISA KEV catalog. The probable attack vector requires an adversary who can configure or deploy a Terminal Server Agent that presents an expired certificate, which typically would necessitate some level of access to the network or the ability to run customized software. Because the vulnerability passes an expired certificate through the validation process, an attacker could gain unauthorized remote connectivity, though the overall risk remains low given the requirement for agent placement and the low exploitation probability.