CVE-2026-0243 in Prisma SD-WAN ION
Summary
by MITRE • 05/13/2026
A denial of service (DoS) vulnerability in Palo Alto Networks Prisma SD-WAN ION devices enables an unauthenticated attacker in a network adjacent to a Prisma SD-WAN ION device to cause a system disruption by sending a specially crafted IPv6 packet.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/14/2026
This vulnerability represents a critical denial of service weakness in Palo Alto Networks Prisma SD-WAN ION devices that stems from inadequate input validation of IPv6 packets. The flaw exists within the device's network processing stack where it fails to properly handle malformed or specially crafted IPv6 packets transmitted from adjacent network segments. The vulnerability is classified as a CWE-129 weakness, specifically involving improper validation of input boundaries, and aligns with ATT&CK technique T1498 which covers network denial of service attacks. An unauthenticated attacker positioned within the same network segment can exploit this weakness by transmitting malicious IPv6 packets that trigger a system disruption in the targeted ION device.
The technical implementation of this vulnerability occurs at the network protocol layer where the ION device's IPv6 processing logic does not adequately sanitize incoming packets before processing them. When the device receives a crafted IPv6 packet, it fails to properly validate the packet structure or handle unexpected packet parameters, leading to a system crash or service disruption. This type of vulnerability is particularly concerning in SD-WAN environments where network availability is critical for business operations, as it allows attackers to cause widespread service degradation without requiring authentication credentials or advanced exploitation techniques.
The operational impact of this vulnerability extends beyond simple service interruption to potentially compromise the entire SD-WAN infrastructure. When an ION device becomes unavailable due to this DoS attack, it can disrupt network connectivity for all endpoints managed by that device, affecting multiple users and applications simultaneously. The vulnerability affects the availability aspect of the CIA triad and can be leveraged as part of broader attack campaigns targeting network infrastructure. Organizations using Prisma SD-WAN solutions face significant risk of operational disruption, especially in environments where network uptime is critical for business continuity.
Mitigation strategies for this vulnerability should include immediate deployment of official patches provided by Palo Alto Networks, along with network segmentation to limit adjacent network access to ION devices. Network administrators should implement ingress filtering and IPv6 packet validation rules to prevent malformed packets from reaching vulnerable devices. The mitigation approach aligns with ATT&CK technique T1562 which covers defense evasion and includes network denial of service prevention measures. Additionally, organizations should consider implementing intrusion detection systems that can identify and block suspicious IPv6 packet patterns, and establish monitoring procedures to detect potential DoS attack attempts targeting network infrastructure components.