PAN-OS: Remote Code Execution (RCE) in IKEv2 Processing
Plan PatchCVSS 9.2CVE-2026-0263May 13, 2026
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
A buffer overflow vulnerability exists in the IKEv2 processing function of PAN-OS and Prisma Access firewalls. An unauthenticated attacker with network access to the IKEv2 VPN endpoint can send a specially crafted packet to trigger the overflow, leading to arbitrary code execution with firewall privileges or a denial of service condition. Panorama and Cloud NGFW are not affected.
What this means
What could happen
An attacker on the network can send specially crafted data to the firewall's IKEv2 VPN port and execute arbitrary commands with firewall privileges, potentially allowing them to access internal networks, modify traffic rules, or disable the firewall entirely.
Who's at risk
Organizations using Palo Alto Networks PAN-OS firewalls or Prisma Access for VPN termination should treat this as critical. This affects enterprises relying on these devices for network perimeter defense, remote access, or site-to-site connectivity. Any organization with IKEv2 VPN enabled is at risk.
How it could be exploited
An attacker sends a malformed IKEv2 packet to the firewall's VPN endpoint (typically port 500 or 4500). The firewall's IKEv2 processing code fails to properly validate the packet, causing a buffer overflow that allows the attacker to inject and execute arbitrary code with firewall-level privileges.
Prerequisites
- Network access to the firewall's IKEv2 VPN port (UDP 500 or 4500)
- IKEv2 VPN service enabled on the firewall
- Firewall running an affected PAN-OS or Prisma Access version
remotely exploitableno authentication requiredbuffer overflow (moderate complexity)high CVSS score (9.2)affects critical network perimeter device
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
PAN-OSBelow 12.1.4-h512.1.4-h5+
PAN-OSBelow 12.1.712.1.7 (ETA: 05/28)+
Prisma AccessBelow 11.2.4-h1711.2.4-h17 (ETA: 05/28)+
Prisma AccessBelow 11.2.7-h1311.2.7-h13+
Prisma AccessBelow 11.2.10-h611.2.10-h6+
Prisma AccessBelow 11.2.1211.2.12 (ETA: 05/28)+
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDIf a patch cannot be deployed immediately, restrict network access to UDP ports 500 and 4500 (IKEv2 endpoints) to only known, trusted VPN client IP addresses or subnets
WORKAROUNDIf IKEv2 is not required, disable IKEv2 VPN service and use only IPsec or other VPN protocols until patches are applied
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
PAN-OS
HOTFIXUpdate PAN-OS to version 12.1.4-h5 or later (12.1.4 branch) or 12.1.7 or later (12.1.7 branch)
Prisma Access
HOTFIXUpdate Prisma Access to the latest fixed version in your branch (11.2.4-h17 or later, 11.2.7-h13 or later, 11.2.10-h6 or later, or 11.2.12 or later)
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/876099aa-4321-4773-81f7-e033ac8dd37fGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.