OTPulse

Prisma Access Agent: Improper Certificate Validation Vulnerability

Plan PatchCVSS 8.6CVE-2026-0248May 13, 2026
Palo Alto NetworksTransportation
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary

An improper certificate validation vulnerability in Prisma Access Agent for Android and Chrome OS allows an attacker to perform a man-in-the-middle attack. An attacker with network interception capability can present any valid certificate issued by a trusted Certificate Authority, and the vulnerable agent will accept it without verifying the certificate matches the intended VPN endpoint. This enables the attacker to decrypt and capture sensitive device information and traffic. The vulnerability is fixed in version 26.2.1 for Android and Chrome OS. macOS, Windows, Linux, and iOS versions are not affected.

What this means
What could happen
An attacker on the network path between a mobile device and Prisma Access servers could intercept VPN traffic and capture sensitive device information by presenting a valid certificate, potentially exposing credentials, connected networks, and other confidential data transmitted through the VPN tunnel.
Who's at risk
Organizations using Prisma Access Agent on Android or Chrome OS devices to provide mobile workforce VPN access, particularly in transportation and logistics sectors where field devices are common. This affects any user connecting through these mobile platforms who may be on untrusted networks (public WiFi, hotel networks, cellular networks in transit).
How it could be exploited
An attacker positioned to intercept network traffic (such as on a compromised WiFi network or through BGP hijacking) can present a valid certificate issued by a trusted Certificate Authority for any domain. The vulnerable Prisma Access Agent on Android or Chrome OS will accept this certificate without validating that it matches the intended VPN endpoint, allowing the attacker to decrypt and inspect VPN traffic.
Prerequisites
  • Network position between mobile device and Prisma Access servers (compromised WiFi, compromised ISP, or other network interception capability)
  • Valid certificate issued by a trusted Certificate Authority (does not need to match the target domain)
remotely exploitableno authentication requiredaffects mobile VPN users on untrusted networksimpacts confidentiality of transmitted data
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (6)
2 with fix4 pending
ProductAffected VersionsFix Status
Prisma Access AgentBelow 26.2.1 on Android26.2.1 on Android+
Prisma Access AgentBelow 26.2.1 on Chrome OS26.2.1 on Chrome OS+
Prisma Access AgentNone on iOSNo fix yet
Prisma Access AgentNone on LinuxNo fix yet
Prisma Access AgentNone on macOSNo fix yet
Prisma Access AgentNone on WindowsNo fix yet
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

Prisma Access Agent
HOTFIXUpdate Prisma Access Agent to version 26.2.1 or later on all Android devices
HOTFIXUpdate Prisma Access Agent to version 26.2.1 or later on all Chrome OS devices
Long-term hardening
0/1
Prisma Access Agent
HARDENINGFor iOS, macOS, Windows, and Linux devices (not affected by this vulnerability), ensure users continue running the latest available version of Prisma Access Agent for defense-in-depth
View full vendor advisory
API: /api/v1/advisories/14f72566-6427-46f4-987f-72fe8c30fd74

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.