PAN-OS: Server-Side Request Forgery (SSRF) in IKEv2 Certificate URL Fetching
Plan PatchCVSS 8.3CVE-2026-0258May 13, 2026
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
A server-side request forgery (SSRF) vulnerability in the IKEv2 implementation of PAN-OS and Prisma Access allows an unauthenticated attacker to cause the firewall to send network requests to unintended destinations or cause a denial of service (DoS) condition. The vulnerability resides in how IKEv2 certificate URLs are fetched. Panorama and Cloud NGFW are not impacted.
What this means
What could happen
An unauthenticated attacker can exploit the IKEv2 certificate URL fetching process to make your firewall send network requests to internal systems or external destinations it shouldn't, potentially accessing sensitive data or causing the firewall to become unresponsive.
Who's at risk
Organizations operating Palo Alto Networks PAN-OS firewalls with IKEv2 VPN enabled. This affects any site using PAN-OS for VPN termination or remote access. Prisma Access customers in affected versions are also at risk. This is particularly concerning for utilities and water authorities that rely on VPN for SCADA or ICS remote access and management.
How it could be exploited
An attacker sends a specially crafted IKEv2 certificate request to the firewall's VPN endpoint. The firewall's IKEv2 implementation unsafely fetches the certificate from a URL controlled by the attacker, allowing the attacker to redirect requests to internal systems (like management interfaces, database servers, or other network devices) or external malicious servers.
Prerequisites
- Firewall has IKEv2 VPN gateway configured and reachable from the network
- No prior authentication required
remotely exploitableno authentication requiredaffects firewall/network device
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
PAN-OSBelow 12.1.4-h512.1.4-h5+
PAN-OSBelow 12.1.712.1.7 (ETA: 05/28)+
Prisma AccessBelow 11.2.4-h1711.2.4-h17 (ETA: 05/28)+
Prisma AccessBelow 11.2.7-h1311.2.7-h13+
Prisma AccessBelow 11.2.10-h611.2.10-h6+
Prisma AccessBelow 11.2.1211.2.12 (ETA: 05/28)+
Remediation & Mitigation
0/8
Do now
0/2WORKAROUNDIf IKEv2 VPN is not required, remove all IKEv2 VPN gateway configurations
HARDENINGIf you have Threat Prevention subscription, enable Threat ID 510014 from Applications and Threats content version 9100-10044 or later
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
PAN-OS
HOTFIXUpdate PAN-OS to version 12.1.4-h5 or later if running 12.1.4 branch
HOTFIXUpdate PAN-OS to version 12.1.7 or later if running 12.1.7 branch
Prisma Access
HOTFIXUpdate Prisma Access to version 11.2.4-h17 or later if running 11.2.4 branch
HOTFIXUpdate Prisma Access to version 11.2.7-h13 or later if running 11.2.7 branch
HOTFIXUpdate Prisma Access to version 11.2.10-h6 or later if running 11.2.10 branch
HOTFIXUpdate Prisma Access to version 11.2.12 or later if running 12.1.12 branch
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/5ef83053-ab11-47ad-8336-e393409b93e5Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.