CVE-2026-0228 in Cloud NGFW
Summary
by MITRE • 02/11/2026
An improper certificate validation vulnerability in PAN-OS allows users to connect Terminal Server Agents on Windows to PAN-OS using expired certificates even if the PAN-OS configuration would not normally permit them to do so.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/13/2026
This vulnerability resides within Palo Alto Networks PAN-OS firewall software where the certificate validation mechanism fails to properly enforce certificate expiration policies during Terminal Services Agent connections. The flaw allows unauthorized entities to establish secure connections despite the system configuration explicitly blocking such communications through certificate-based authentication controls. This represents a critical breakdown in the security architecture where the certificate validation process becomes bypassed, enabling potential attackers to circumvent intended access controls.
The technical implementation flaw stems from insufficient validation of X.509 certificate expiration dates within the PAN-OS certificate handling routines. When Windows Terminal Services Agents attempt to connect to PAN-OS devices, the system should verify that all presented certificates remain valid according to their expiration dates. However, the vulnerability permits connections to proceed even when certificates have expired, effectively neutralizing the certificate-based authentication security controls that are fundamental to preventing unauthorized access. This behavior violates the core principles of certificate-based authentication and undermines the trust model that PAN-OS relies upon for secure remote access.
The operational impact of this vulnerability extends beyond simple certificate validation bypass, creating potential pathways for unauthorized administrative access to network infrastructure. Attackers could exploit this weakness to establish persistent connections to PAN-OS devices using expired certificates that would normally be rejected, potentially enabling them to perform administrative functions, modify firewall rules, or conduct man-in-the-middle attacks against legitimate users. The vulnerability affects the integrity of the authentication process and could allow for privilege escalation or complete compromise of the network security perimeter.
Organizations should immediately implement mitigations including mandatory certificate renewal policies, enhanced monitoring of Terminal Services connections, and verification of certificate validity through external systems. The configuration should enforce strict certificate validation controls and disable any deprecated or weak cryptographic protocols. Network administrators should also implement additional layers of authentication and monitoring to detect unauthorized certificate usage patterns. This vulnerability aligns with CWE-295 which addresses improper certificate validation and may be categorized under ATT&CK technique T1078 for valid accounts and T1566 for social engineering through credential compromise. Regular security audits and certificate lifecycle management procedures should be enhanced to prevent similar issues in the future and ensure compliance with industry standards for secure network device management.