Palo Alto Networks published a July 2026 PAN-OS advisory set that firewall, VPN, and hosting network teams should schedule into the next maintenance window. The highest item in the batch is CVE-2026-0288, a High severity User-ID Terminal Server Agent buffer overflow advisory. The same batch also includes PAN-OS network traffic denial-of-service, CLI command injection, management web interface SSRF, LSVPN authentication bypass, IPv6 policy bypass, and other management-plane fixes.
Palo Alto says it is not aware of malicious exploitation for the checked advisories, so this is a controlled patch-and-verify job rather than a panic change. Back up firewall configuration, confirm HA health, snapshot change tickets, and make sure a rollback plan exists before upgrading production firewalls.
Advisories To Review
- CVE-2026-0288: PAN-OS User-ID Terminal Server Agent buffer overflow vulnerabilities, rated High.
- CVE-2026-0287: PAN-OS network traffic processing denial-of-service vulnerabilities.
- CVE-2026-0286: PAN-OS authenticated command injection in CLI.
- CVE-2026-0285: PAN-OS management web interface server-side request forgery.
- CVE-2026-0283: PAN-OS Large Scale VPN authentication bypass.
- CVE-2026-0280: PAN-OS IPv6 firewall policy bypass.
Admin Checklist
- Identify affected PAN-OS branches and compare them with Palo Alto’s fixed-version matrix for each advisory.
- Back up running and candidate configuration, export device state where appropriate, and confirm HA pair status.
- Prioritize internet-facing management surfaces, LSVPN deployments, User-ID Terminal Server Agent use, and firewalls handling untrusted IPv6 traffic.
- Upgrade during a maintenance window and test GlobalProtect, site-to-site VPN, NAT, security policies, logging, and User-ID mappings.
- Keep management interfaces restricted to trusted networks and MFA-protected admin paths.
- After the change, review system logs, threat logs, HA sync state, and policy hit counts for unexpected behavior.
Hosting Notes
For hosting providers and MSPs, the value is in turning this into an inventory task. Check which clients depend on PAN-OS firewalls for management-plane access, VPN, IPv6 filtering, and east-west segmentation. Patch the firewalls, then verify that customer-facing sites, control panels, DNS, mail, backups, and monitoring still pass through the expected policies.
Do not turn the advisory list into test traffic. The safe operational path is version inventory, vendor patching, management exposure reduction, and post-change validation.


