Description
An improper certificate validation vulnerability in the Palo Alto Networks Prisma SD-WAN ION enables man-in-the-middle (MitM) attacker to impersonate the controller.
Published: 2026-05-13
Score: 5.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from the Prisma SD‑WAN ION appliance not properly validating TLS certificates when communicating with its controller. The weakness, identified as CWE‑295, allows a man‑in‑the‑middle attacker to impersonate the legitimate controller. An attacker could intercept, alter, or forge management traffic, exposing confidential configuration data or undermining device integrity.

Affected Systems

The CVE affects Palo Alto Networks Prisma SD‑WAN ION appliances. Vulnerable versions are 6.5.1 through 6.5.3, 6.4.1 through 6.4.3, and 6.3.1 through 6.3.6; the vendor recommends upgrading to 6.5.3‑b15 or later, 6.4.3‑b8 or later, and 6.3.6‑b10 or later respectively. Versions 6.1 and 5.6 are unaffected.

Risk and Exploitability

The CVSS base score of 5.2 indicates moderate risk. EPSS is not available and the vulnerability is not listed in CISA KEV, suggesting no known widespread exploitation yet. Nevertheless, because the flaw permits a man‑in‑the‑middle attack, any attacker who can position themselves on the path between the device and its controller—by manipulating DNS, routing, or network links—might be able to mount an exploitation. Organizations should therefore prioritize patching to eliminate the opportunity for such attacks.

Generated by OpenCVE AI on May 13, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Prisma SD‑WAN ION to 6.5.3‑b15 or later, 6.4.3‑b8 or later, or 6.3.6‑b10 or later, depending on the current major release. No action is required for versions 6.1 and 5.6.
  • After upgrading, confirm that the appliance validates the controller’s TLS certificate against a trusted CA and that the certificate is not self‑signed without validation.
  • If immediate upgrade is not possible, enforce network policies that block traffic to any controller endpoints presenting untrusted or unexpected certificates, and consider implementing certificate pinning or explicit trust‑anchor configuration if supported by the product.

Generated by OpenCVE AI on May 13, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description An improper certificate validation vulnerability in the Palo Alto Networks Prisma SD-WAN ION enables man-in-the-middle (MitM) attacker to impersonate the controller.
Title Prisma SD-WAN: Improper Certificate Validation Vulnerability
First Time appeared Palo Alto Networks
Palo Alto Networks prisma Sd-wan Ion
Weaknesses CWE-295
CPEs cpe:2.3:h:palo_alto_networks:prisma_sd-wan_ion:*:*:*:*:*:*:*:*
Vendors & Products Palo Alto Networks
Palo Alto Networks prisma Sd-wan Ion
References
Metrics cvssV4_0

{'score': 5.2, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/RE:M/U:Amber'}

Subscriptions

Palo Alto Networks Prisma Sd-wan Ion
cve-icon MITRE

Status: PUBLISHED

Assigner: palo_alto

Published:

Updated: 2026-05-13T19:29:53.580Z

Reserved: 2025-11-03T20:44:04.828Z

Link: CVE-2026-0244

cve-icon Vulnrichment

Updated: 2026-05-13T19:29:48.013Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T19:16:58.297

Modified: 2026-05-14T16:21:23.190

Link: CVE-2026-0244

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:48Z

Weaknesses