Description
An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire® WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode.



The WildFire Appliance (WF-500, WF-500-B) software update is now available to customers that use the WildFire Appliance (WF-500, WF-500-B) for on-premise sandboxing.



Please note that customers using the WildFire Public cloud service are NOT impacted by this vulnerability.
Published: 2026-05-13
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An arbitrary file read and delete flaw in Palo Alto Networks WildFire WF-500 and WF-500-B appliances allows an attacker to read sensitive files and delete arbitrary files. The weakness is classified as CWE‑73 due to improper handling of file paths and could expose confidential data or corrupt system state within the appliance's filesystem.

Affected Systems

The vulnerability affects WildFire WF-500 and WF-500-B appliances running in the default non‑FIPS configuration mode. Firmware versions that require remediation include 12.1.5‑12.1.6 (upgrade to 12.1.7 or later), 12.1.2‑12.1.4‑h* (upgrade to 12.1.4‑h5 or 12.1.7 or later), 11.2.11 or later (upgrade to 11.2.12 or later), 11.2.8‑11.2.10‑h* (upgrade to 11.2.10‑h6 or 11.2.12 or later), 11.2.5‑11.2.7‑h* (upgrade to 11.2.7‑h13 or 11.2.12 or later), 11.2.0‑11.2.4‑h* (upgrade to 11.2.4‑h17 or 11.2.12 or later), 11.1.14 or later (upgrade to 11.1.15 or later), 11.1.11‑11.1.13‑h* (upgrade to 11.1.13‑h5 or 11.1.15 or later), 11.1.8‑11.1.10‑h* (upgrade to 11.1.10‑h25 or 11.1.15 or later), 11.1.7‑11.1.7‑h* (upgrade to 11.1.7‑h6 or 11.1.15 or later), 11.1.5‑11.1.6‑h* (upgrade to 11.1.6‑h32 or 11.1.15 or later), 11.1.0‑11.1.4‑h* (upgrade to 11.1.4‑h33 or 11.1.15 or later), 10.2.17‑10.2.18‑h* (upgrade to 10.2.18‑h6 or later), 10.2.14‑10.2.16‑h* (upgrade to 10.2.16‑h7 or 10.2.18‑h6 or later), 10.2.11‑10.2.13‑h* (upgrade to 10.2.13‑h21 or 10.2.18‑h6 or later), 10.2.8‑10.2.10‑h* (upgrade to 10.2.10‑h36 or 10.2.18‑h6 or later), 10.2.0‑10.2.7‑h* (upgrade to 10.2.7‑h34 or 10.2.18‑h6 or later). Version 10.1 and earlier are End‑of‑Life and no fix is planned.

Risk and Exploitability

The CVSS score is 5, indicating a moderate impact. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated user with access to the appliance console or API, as the flaw can only be exercised from within the appliance's configuration mode. An attacker could read confidential files on the device or delete important configuration files, potentially disrupting sandbox operations.

Generated by OpenCVE AI on May 13, 2026 at 19:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WildFire WF‑500 or WF‑500‑B to a version that includes the fix, such as 12.1.7 or later, 11.2.12 or later, 11.1.15 or later, or 10.2.18‑h6 or later, depending on the current firmware.
  • If an upgrade cannot be performed immediately, configure the appliance to allow access only from trusted internal IP addresses, especially for air‑gapped deployments.
  • For customers with a Threat Prevention subscription, enable Threat ID 510010 (Applications and Threats content version 9100‑10044 or later) to block attacks, noting that SSL decryption is required.

Generated by OpenCVE AI on May 13, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire® WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode. The WildFire Appliance (WF-500, WF-500-B) software update is now available to customers that use the WildFire Appliance (WF-500, WF-500-B) for on-premise sandboxing. Please note that customers using the WildFire Public cloud service are NOT impacted by this vulnerability.
Title WildFire WF-500 and WF-500-B: Arbitrary File Read and Delete Vulnerability in WildFire Appliance (WF-500, WF-500-B)
First Time appeared Palo Alto Networks
Palo Alto Networks wildfire Wf-500 And Wf-500-b
Weaknesses CWE-73
CPEs cpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:*
Vendors & Products Palo Alto Networks
Palo Alto Networks wildfire Wf-500 And Wf-500-b
References
Metrics cvssV4_0

{'score': 5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:C/RE:M/U:Amber'}

Subscriptions

Palo Alto Networks Wildfire Wf-500 And Wf-500-b
cve-icon MITRE

Status: PUBLISHED

Assigner: palo_alto

Published:

Updated: 2026-05-13T18:57:18.638Z

Reserved: 2025-11-03T20:44:19.922Z

Link: CVE-2026-0259

cve-icon Vulnrichment

Updated: 2026-05-13T18:57:10.236Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T19:17:01.873

Modified: 2026-05-14T16:21:23.190

Link: CVE-2026-0259

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T21:45:04Z

Weaknesses