PAN-OS: Improper Validation of Terminal Server Agent Certificate
Monitor5.3CVE-2026-0228Feb 11, 2026
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
An improper certificate validation vulnerability in PAN-OS allows Terminal Server Agents on Windows to connect to Prisma Access using expired certificates, even when the PAN-OS configuration would normally reject them. This bypasses the organization's certificate expiration policy for agent authentication.
What this means
What could happen
An attacker with access to an expired Terminal Server Agent certificate could connect to PAN-OS and potentially access systems protected by Prisma Access, bypassing normal certificate validation controls.
Who's at risk
Organizations using Palo Alto Networks Prisma Access for remote access and endpoint protection should apply this update. This is most critical for companies that manage distributed workforces, remote offices, or branch locations where Terminal Server Agents are deployed on Windows endpoints.
How it could be exploited
An attacker obtains or creates an expired Terminal Server Agent certificate, then connects it to a PAN-OS instance running Prisma Access. Because the firewall does not properly validate the certificate expiration, the connection succeeds even though the organization's security policy would normally reject expired certificates.
Prerequisites
- Access to an expired Terminal Server Agent certificate
- Network connectivity to the PAN-OS Prisma Access instance
- PAN-OS Prisma Access version below 11.2.8
No authentication required beyond expired certificateLow complexity exploitationAffects remote access security posture
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (1)
ProductAffected VersionsFix Status
Prisma AccessBelow 11.2.811.2.8+
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate Prisma Access to version 11.2.8 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/877fac10-1f37-438f-ac4e-4d6c2d64de2cGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.