PAN
Company Details
Linkedin ID:
palo-alto-networks
Website:
Employees number:
17,868
Number of followers:
1,667,098
NAICS:
541514
Industry Type:
Homepage:
paloaltonetworks.com
IP Addresses:
123
Company ID:
PAL_3162000
Scan Status:
Completed
Palo Alto Networks Company CyberSecurity Posture
paloaltonetworks.com
Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world's greatest security challenges with continuous innovation that seizes the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. Our vision is a world where each day is safer and more secure than the one before. For more information, visit www.paloaltonetworks.com.
Palo Alto Networks A.I CyberSecurity Scoring
PAN Risk Score (AI oriented)Between 750 and 799
PAN
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
PAN Global Score (TPRM)XXXX
PAN
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
PAN Company CyberSecurity News & History
Past Incidents
5
Attack Types
2
Palo Alto Networks
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Palo Alto Networks fell victim to a sophisticated **supply chain cyberattack** after threat actors (UNC6395) exploited a **vulnerability in Salesloft Drift**, a third-party sales/marketing SaaS tool integrated with Salesforce. The attackers stole **OAuth tokens**, granting unauthorized access to Palo Alto’s **Salesforce instance**. While the breach was confined to **business contact details** (names, emails, job titles, phone numbers), **sales account records**, and **case metadata**, it exposed sensitive customer data tied to major tech firms. The company **disabled the compromised integration**, revoked affected tokens, and collaborated with Salesforce/Salesloft for forensic analysis. No evidence suggested misuse of the exposed data, but the incident underscored risks in **third-party dependencies**. Customers were notified, and internal safeguards were reviewed to mitigate future threats. The attack aligns with a broader trend targeting **Salesforce ecosystems**, including TransUnion’s recent breach affecting 4.4M US consumers.
Palo Alto Networks
Vulnerability
Rankiteo Explanation
Attack without any consequences: Attack in which data is not compromised
Description: A newly disclosed command injection vulnerability in Palo Alto Networks’ PAN-OS operating system poses significant security risks to enterprise firewall infrastructures worldwide. The vulnerability, catalogued as CVE-2025-4230, enables authenticated administrators with command-line interface (CLI) access to execute arbitrary commands with root-level privileges, potentially compromising entire network security architectures. This flaw allows malicious actors to exploit insufficient input validation within the PAN-OS CLI interface, enabling them to bypass system restrictions and execute unauthorized commands with elevated privileges.
Palo Alto Networks
Vulnerability
Rankiteo Explanation
Attack limited on finance or reputation
Description: A critical **denial-of-service (DoS) vulnerability (CVE-TBD)** in **Palo Alto Networks’ PAN-OS** allows unauthenticated attackers to remotely reboot firewalls by sending maliciously crafted packets via the data plane. Repeated exploits can force firewalls into **maintenance mode**, disabling network protections and exposing organizations to **secondary attacks**. The flaw affects **PA-Series, VM-Series firewalls, and Prisma Access** (excluding Cloud NGFW) across multiple PAN-OS versions (10.2, 11.1, 11.2), with **no evidence of active exploitation** yet. The issue stems from **improper exception handling (CWE-754)** and **pointer manipulation (CAPEC-129)**, requiring **no authentication or user interaction**. While Palo Alto Networks assigned a **CVSS 8.7 (MEDIUM severity, MODERATE urgency)**, the vulnerability’s **network-based, no-authentication exploitability** poses significant risk to **critical infrastructure**. Affected organizations lack workarounds, making **immediate patching** essential. Unpatched systems face **operational disruption**, potential **follow-on attacks**, and **loss of firewall resilience**, though no data breaches or ransomware are reported. Remediation requires upgrades to **PAN-OS 10.2.14, 11.1.7, or 11.2.5** (or hotfixes), with Prisma Access patches pending for some deployments.
Palo Alto Networks
Vulnerability
Rankiteo Explanation
Attack limited on finance or reputation
Description: Palo Alto Networks disclosed a **reflected cross-site scripting (XSS) vulnerability (CVE-2025-0133)** in its **GlobalProtect gateway and portal** (PAN-OS software). The flaw allows attackers to execute malicious JavaScript in authenticated users' browsers via crafted links, enabling **credential theft** through phishing. While the default CVSS score is **2.0 (Low)**, it escalates to **5.5 (Medium)** when **Clientless VPN** is enabled. Proof-of-concept (PoC) exploit code is already public, increasing the risk of active exploitation before patches (expected **June–August 2025**) are deployed.The vulnerability affects multiple PAN-OS versions (11.2, 11.1, 10.2, 10.1) and **Cloud NGFW**, but **Prisma Access** is unaffected. Mitigations include upgrading to patched versions, enabling Threat Prevention IDs (510003, 510004), or disabling Clientless VPN. Though no confirmed malicious exploitation exists yet, the **social engineering risk**—tricking users into clicking malicious links—poses a **significant threat to authentication integrity**, particularly for organizations relying on Clientless VPN. Urgent action is advised to prevent credential compromise and downstream attacks.
Palo Alto Networks
Vulnerability
Rankiteo Explanation
Attack without any consequences
Description: Palo Alto Networks' PAN-OS software was found to contain a significant denial-of-service (DoS) vulnerability, labeled CVE-2025-0128, affecting several versions and potentially putting organizations at risk of service interruptions. Unauthenticated attackers could exploit this vulnerability to force system reboots and maintenance mode engagement, leading to service unavailability for those reliant on the company's firewall appliances. The security flaw, while rated 'MEDIUM' in severity due to a CVSS score of 6.6, has a high impact on availability, albeit not directly threatening data confidentiality or integrity. Security recommendations encourage immediate updates to patched software versions to prevent exploitation.
PAN Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for PAN
Incidents vs Computer and Network Security Industry Average (This Year)
Palo Alto Networks has 986.96% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Palo Alto Networks has 681.25% more incidents than the average of all companies with at least one recorded incident.
Incident Types PAN vs Computer and Network Security Industry Avg (This Year)
Palo Alto Networks reported 5 incidents this year: 0 cyber attacks, 0 ransomware, 4 vulnerabilities, 1 data breaches, compared to industry peers with at least 1 incident.
Incident History — PAN (X = Date, Y = Severity)
PAN cyber incidents detection timeline including parent company and subsidiaries
PAN Company Subsidiaries
Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world's greatest security challenges with continuous innovation that seizes the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. Our vision is a world where each day is safer and more secure than the one before. For more information, visit www.paloaltonetworks.com.
Loading...
PAN Similar Companies
CrowdStrike
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk — endpoints and cloud workloads, identity and data. Powered by the CrowdStrike Security Cloud and world-clas
.png)
PAN CyberSecurity News
November 19, 2025 05:15 PM
Palo Alto Networks launches AI agent security integrations with IBM, ServiceNow, and more
Palo Alto Networks has announced new native integrations of its security platform Prisma AIRS with leading AI agent platforms from...
November 19, 2025 04:37 PM
Palo Alto Networks, IBM Plan Quantum-Safe Solution
Palo Alto Networks and IBM are collaborating to develop a solution designed to help organizations prepare for the coming age of quantum...
November 19, 2025 04:06 PM
IBM & Palo Alto Networks launch solution for quantum threats
IBM and Palo Alto Networks launch a Quantum-Safe Readiness solution to help firms tackle security risks from emerging quantum computing...
November 19, 2025 03:25 PM
Palo Alto integrates Prisma AIRS with IBM, ServiceNow, and more
Palo Alto Networks integrates Prisma AIRS with Factory, Glean, IBM, and ServiceNow for secure AI agent implementations against prompt...
November 19, 2025 03:07 PM
Palo Alto Networks (PANW) Teams with IBM for Quantum-Safe Securi
Key Takeaways: Palo Alto Networks (PANW) collaborates with IBM to enhance enterprise security with a Quantum-Safe Readiness solution.
November 19, 2025 02:48 PM
Xerox launches unified cybersecurity solution for SMBs powered by Palo Alto Networks and cyber insurance from The Hartford
Hartford Insurance Group Inc: Xerox launches unified cybersecurity solution for SMBs powered by Palo Alto Networks and cyber insurance from...
November 19, 2025 02:22 PM
Palo Alto Networks, Inc. and IBM Plan to Launch Joint Solution to Accelerate Enterprise-Wide Quantum-Safe Readiness
Palo Alto Networks announced a plan with IBM to offer a new Quantum-Safe Readiness solution designed to help enterprises identify...
November 19, 2025 02:18 PM
Xerox unveils cybersecurity solution for small businesses
NORWALK, Conn. - Xerox Holdings Corporation (NASDAQ:XRX) announced Wednesday the launch of Xerox TriShield 360 Cyber Solution,...
November 19, 2025 02:00 PM
Xerox Launches Unified Cybersecurity Solution for SMBs Powered by Palo Alto Networks and Cyber Insurance from The Hartford
NORWALK, Conn., November 19, 2025--Xerox today announced the launch of XeroxTM TriShield 360 Cyber Solution, a holistic cybersecurity...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
PAN CyberSecurity History Information
Official Website of Palo Alto Networks
The official website of Palo Alto Networks is http://www.paloaltonetworks.com.
Palo Alto Networks’s AI-Generated Cybersecurity Score
According to Rankiteo, Palo Alto Networks’s AI-generated cybersecurity score is 777, reflecting their Fair security posture.
How many security badges does Palo Alto Networks’ have ?
According to Rankiteo, Palo Alto Networks currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Palo Alto Networks have SOC 2 Type 1 certification ?
According to Rankiteo, Palo Alto Networks is not certified under SOC 2 Type 1.
Does Palo Alto Networks have SOC 2 Type 2 certification ?
According to Rankiteo, Palo Alto Networks does not hold a SOC 2 Type 2 certification.
Does Palo Alto Networks comply with GDPR ?
According to Rankiteo, Palo Alto Networks is not listed as GDPR compliant.
Does Palo Alto Networks have PCI DSS certification ?
According to Rankiteo, Palo Alto Networks does not currently maintain PCI DSS compliance.
Does Palo Alto Networks comply with HIPAA ?
According to Rankiteo, Palo Alto Networks is not compliant with HIPAA regulations.
Does Palo Alto Networks have ISO 27001 certification ?
According to Rankiteo,Palo Alto Networks is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Palo Alto Networks
Palo Alto Networks operates primarily in the Computer and Network Security industry.
Number of Employees at Palo Alto Networks
Palo Alto Networks employs approximately 17,868 people worldwide.
Subsidiaries Owned by Palo Alto Networks
Palo Alto Networks presently has no subsidiaries across any sectors.
Palo Alto Networks’s LinkedIn Followers
Palo Alto Networks’s official LinkedIn profile has approximately 1,667,098 followers.
NAICS Classification of Palo Alto Networks
Palo Alto Networks is classified under the NAICS code 541514, which corresponds to Others.
Palo Alto Networks’s Presence on Crunchbase
Yes, Palo Alto Networks has an official profile on Crunchbase, which can be accessed here: https://www.crunchbase.com/organization/palo-alto-networks.
Palo Alto Networks’s Presence on LinkedIn
Yes, Palo Alto Networks maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/palo-alto-networks.
Cybersecurity Incidents Involving Palo Alto Networks
As of November 27, 2025, Rankiteo reports that Palo Alto Networks has experienced 5 cybersecurity incidents.
Number of Peer and Competitor Companies
Palo Alto Networks has an estimated 2,775 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Palo Alto Networks ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach and Vulnerability.
How does Palo Alto Networks detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with immediate updates to patched software versions, and remediation measures with upgrade to pan-os 11.2.6, 11.1.10, 10.2.14, or 10.1.14-h15, and and third party assistance with salesforce, third party assistance with salesloft, third party assistance with google’s threat intelligence group, and containment measures with disabled vulnerable salesloft-drift integration (palo alto networks), containment measures with revoked affected oauth tokens, containment measures with launched third-party risk management investigation (zscaler), and remediation measures with strengthened customer authentication protocols (zscaler), remediation measures with reviewing internal safeguards (palo alto networks), remediation measures with customer notifications, and communication strategy with public disclosures (pagerduty, zscaler, palo alto networks), communication strategy with customer advisories (e.g., palo alto networks via linkedin), communication strategy with recommendations for heightened phishing vigilance, and enhanced monitoring with heightened vigilance for phishing (recommended to customers), and containment measures with urgent patching to remediated versions, containment measures with hotfix application (e.g., 10.2.13-h3, 11.1.6-h1), and product with pan-os 10.2, action with upgrade to 10.2.14 or apply hotfix 10.2.13-h3+, product with pan-os 11.1, action with upgrade to 11.1.7 or apply hotfix 11.1.6-h1/11.1.4-h13, product with pan-os 11.2, action with upgrade to 11.2.5 or apply hotfixes, product with prisma access, action with palo alto networks completing upgrades (except conflicting maintenance windows), and communication strategy with public advisory with remediation guidance, communication strategy with customer notifications for prisma access upgrades, and third party assistance with xbow researchers (vulnerability discovery), and containment measures with disable clientless vpn functionality, containment measures with enable threat prevention ids 510003 and 510004 (applications and threats content version 8970), and remediation measures with upgrade to patched pan-os versions (expected releases: june–august 2025), remediation measures with user awareness training for suspicious links, and communication strategy with public advisory by palo alto networks, and enhanced monitoring with monitor for exploitation attempts via threat prevention signatures..
Incident Details
Can you provide details on each incident ?
Title: Palo Alto Networks PAN-OS DoS Vulnerability
Description: Palo Alto Networks' PAN-OS software was found to contain a significant denial-of-service (DoS) vulnerability, labeled CVE-2025-0128, affecting several versions and potentially putting organizations at risk of service interruptions. Unauthenticated attackers could exploit this vulnerability to force system reboots and maintenance mode engagement, leading to service unavailability for those reliant on the company's firewall appliances. The security flaw, while rated 'MEDIUM' in severity due to a CVSS score of 6.6, has a high impact on availability, albeit not directly threatening data confidentiality or integrity. Security recommendations encourage immediate updates to patched software versions to prevent exploitation.
Type: Denial of Service (DoS)
Attack Vector: Unauthenticated Exploitation
Vulnerability Exploited: CVE-2025-0128
Threat Actor: Unauthenticated Attackers
Title: PAN-OS Admin Command Injection Vulnerability
Description: A newly disclosed command injection vulnerability in Palo Alto Networks’ PAN-OS operating system poses significant security risks to enterprise firewall infrastructures worldwide.
Date Publicly Disclosed: 2025-06-11
Type: Command Injection
Attack Vector: Authenticated administrator with CLI access
Vulnerability Exploited: CVE-2025-4230
Title: Supply Chain Breach via Salesloft Drift Exploit Targeting Salesforce Data
Description: Hackers exploited the Salesloft Drift app to steal OAuth tokens and access Salesforce data, exposing customer details at major tech firms including Palo Alto Networks, Zscaler, and PagerDuty. The attack was a supply chain breach targeting a third-party sales/marketing SaaS application, leading to unauthorized access to Salesforce accounts of hundreds of companies. Exposed data included business contact details (names, emails, job titles, phone numbers) but no core products or infrastructure were compromised.
Date Detected: 2025-08-20
Date Publicly Disclosed: 2025-08-23
Type: Supply Chain Attack
Attack Vector: Third-Party Vulnerability ExploitationOAuth Token TheftSalesforce Integration Abuse
Vulnerability Exploited: Unspecified vulnerability in Salesloft Drift's OAuth token management
Threat Actor: UNC6395
Motivation: Data TheftPotential Phishing/Follow-on AttacksFinancial Gain (likely)
Title: Critical Denial-of-Service Vulnerability in Palo Alto Networks PAN-OS Software
Description: A critical denial-of-service vulnerability (CVE-TBD) has been identified in Palo Alto Networks PAN-OS software that allows unauthenticated attackers to remotely reboot firewalls by crafting specially designed packets through the data plane. Repeated reboot attempts can force affected firewalls into maintenance mode, disabling network protection capabilities and leaving organizations vulnerable to secondary attacks. The vulnerability impacts PA-Series firewalls, VM-Series firewalls, and Prisma Access deployments across multiple PAN-OS versions (excluding Cloud NGFW). It manifests only on firewalls with URL proxy or any decrypt policy configured (including explicit decrypt, explicit no-decrypt, or no-matching policies). The issue stems from improper checks for unusual conditions (CWE-754) and pointer manipulation (CAPEC-129). Palo Alto Networks assigned a CVSS base score of 8.7 (MEDIUM severity, MODERATE urgency) and reports no evidence of active exploitation in the wild. Remediation requires patching to specific versions (e.g., PAN-OS 10.2.14, 11.1.7, or 11.2.5) or applying hotfixes, with no workarounds available for unpatched systems.
Type: Denial-of-Service (DoS)
Attack Vector: Network-based (no authentication or user interaction required)
Vulnerability Exploited: CVE-TBDCWE-754 (Improper Check for Unusual or Exceptional Conditions)CAPEC-129 (Pointer Manipulation)Cvss Score: {'base': 8.7, 'behavioral': 6.6}, Severity: MEDIUM, Urgency: MODERATE.
Title: Palo Alto Networks GlobalProtect Reflected XSS Vulnerability (CVE-2025-0133)
Description: Palo Alto Networks has disclosed a reflected cross-site scripting (XSS) vulnerability, tracked as CVE-2025-0133, affecting the GlobalProtect gateway and portal features of its PAN-OS software. The flaw enables execution of malicious JavaScript in authenticated Captive Portal user browsers when victims click specially crafted links. It poses a significant threat to organizations utilizing the Clientless VPN feature. The vulnerability is rated low severity (CVSS Base Score 2.0) under default configurations but elevates to MEDIUM (CVSS 5.5) when Clientless VPN is enabled. XBOW researchers identified this vulnerability, which enables attackers to create convincing phishing and credential-stealing links that appear legitimately hosted on the GlobalProtect portal. Proof-of-concept exploit code is already available in the wild, increasing urgency for mitigation.
Type: Vulnerability
Attack Vector: Social EngineeringMalicious LinksPhishing
Vulnerability Exploited: Cve Id: CVE-2025-0133, Cwe Id: CWE-79, Capec Id: CAPEC-591, Cvss Score: {'default': 2.0, 'clientless_vpn_enabled': 5.5}, Cvss Vector: None, Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GlobalProtect gateway/portal Captive Portal.
Motivation: Credential TheftPhishingSession Hijacking
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Vulnerability.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through CLI access and Salesloft Drift (third-party SaaS application).
Impact of the Incidents
What was the impact of each incident ?
Incident : Denial of Service (DoS) PAL707041025
Systems Affected: Firewall appliances
Downtime: System reboots and maintenance mode engagement
Operational Impact: Service unavailability
Incident : Command Injection PAL304061225
Systems Affected: PAN-OS 11.2 versions prior to 11.2.6, PAN-OS 11.1 versions before 11.1.10, PAN-OS 10.2 versions earlier than 10.2.14, and PAN-OS 10.1 versions before 10.1.14-h15
Incident : Supply Chain Attack PAL505090325
Data Compromised: Business contact details (names, email addresses, job titles, phone numbers), Sales account records, Case metadata
Systems Affected: Salesforce instances (via third-party integration)Salesloft Drift app
Operational Impact: Heightened vigilance required for phishingThird-party risk investigationsCustomer notificationsAuthentication protocol reviews
Brand Reputation Impact: Potential erosion of trust in third-party integrationsReputational risk for affected firms (Palo Alto Networks, Zscaler, PagerDuty)
Identity Theft Risk: ['Low (business contact details only)', 'Phishing risk elevated']
Incident : Denial-of-Service (DoS) PAL5292352111325
Systems Affected: Type: PA-Series Firewalls, Versions: 10.2 (all ≤ 10.2.13), 11.1 (all ≤ 11.1.6), 11.2 (< 11.2.5), Type: VM-Series Firewalls, Versions: 10.2 (all ≤ 10.2.13), 11.1 (all ≤ 11.1.6), 11.2 (< 11.2.5), Type: Prisma Access, Versions: Underlying PAN-OS versions (see above).
Downtime: Potential extended downtime due to forced maintenance mode and secondary attack exposure
Operational Impact: Loss of firewall protection, network disruption, vulnerability to follow-on attacks
Brand Reputation Impact: Potential reputational damage due to security posture degradation
Incident : Vulnerability PAL1480714112625
Data Compromised: User session cookies, Credentials
Systems Affected: GlobalProtect GatewayGlobalProtect PortalClientless VPN
Operational Impact: Increased Phishing RiskCompromised User Sessions
Brand Reputation Impact: Potential Loss of Trust Due to Phishing Risks
Identity Theft Risk: ['High (if credentials are stolen)']
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Business Contact Details, Sales Account Records, Case Metadata, Social Security Numbers (Transunion Only), , Session Tokens, Credentials and .
Which entities were affected by each incident ?
Incident : Denial of Service (DoS) PAL707041025
Entity Name: Palo Alto Networks
Entity Type: Organization
Industry: Cybersecurity
Incident : Command Injection PAL304061225
Entity Name: Palo Alto Networks
Entity Type: Enterprise
Industry: Network Security
Incident : Supply Chain Attack PAL505090325
Entity Name: Palo Alto Networks
Entity Type: Public Company
Industry: Cybersecurity
Location: Santa Clara, California, USA
Size: Large Enterprise
Customers Affected: Not specified (business contact details exposed)
Incident : Supply Chain Attack PAL505090325
Entity Name: Zscaler
Entity Type: Public Company
Industry: Cybersecurity
Location: San Jose, California, USA
Size: Large Enterprise
Customers Affected: Not specified (business contact details exposed)
Incident : Supply Chain Attack PAL505090325
Entity Name: PagerDuty
Entity Type: Public Company
Industry: IT Operations/Incident Response
Location: San Francisco, California, USA
Size: Mid-to-Large Enterprise
Customers Affected: Not specified (business contact details exposed)
Incident : Supply Chain Attack PAL505090325
Entity Name: TransUnion
Entity Type: Public Company
Industry: Credit Reporting
Location: Chicago, Illinois, USA
Size: Large Enterprise
Customers Affected: 4.4 million US consumers (including Social Security numbers)
Incident : Supply Chain Attack PAL505090325
Entity Name: Salesloft (Drift integration)
Entity Type: Private Company (SaaS)
Industry: Sales Engagement Platform
Location: Atlanta, Georgia, USA
Size: Mid-to-Large Enterprise
Customers Affected: Hundreds of companies (via OAuth token theft)
Incident : Denial-of-Service (DoS) PAL5292352111325
Entity Name: Palo Alto Networks
Entity Type: Cybersecurity Vendor
Industry: Network Security
Location: Santa Clara, California, USA
Customers Affected: Organizations using vulnerable PAN-OS versions (PA-Series, VM-Series, Prisma Access)
Incident : Denial-of-Service (DoS) PAL5292352111325
Entity Name: Organizations using affected PAN-OS versions
Entity Type: Enterprises, Government Agencies, Service Providers
Location: Global
Incident : Vulnerability PAL1480714112625
Entity Name: Palo Alto Networks
Entity Type: Organization
Industry: Cybersecurity
Location: Santa Clara, California, USA
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Denial of Service (DoS) PAL707041025
Remediation Measures: Immediate updates to patched software versions
Incident : Command Injection PAL304061225
Remediation Measures: Upgrade to PAN-OS 11.2.6, 11.1.10, 10.2.14, or 10.1.14-h15
Incident : Supply Chain Attack PAL505090325
Incident Response Plan Activated: True
Third Party Assistance: Salesforce, Salesloft, Google’S Threat Intelligence Group.
Containment Measures: Disabled vulnerable Salesloft-Drift integration (Palo Alto Networks)Revoked affected OAuth tokensLaunched third-party risk management investigation (Zscaler)
Remediation Measures: Strengthened customer authentication protocols (Zscaler)Reviewing internal safeguards (Palo Alto Networks)Customer notifications
Communication Strategy: Public disclosures (PagerDuty, Zscaler, Palo Alto Networks)Customer advisories (e.g., Palo Alto Networks via LinkedIn)Recommendations for heightened phishing vigilance
Enhanced Monitoring: Heightened vigilance for phishing (recommended to customers)
Incident : Denial-of-Service (DoS) PAL5292352111325
Containment Measures: Urgent patching to remediated versionsHotfix application (e.g., 10.2.13-h3, 11.1.6-h1)
Remediation Measures: Product: PAN-OS 10.2, Action: Upgrade to 10.2.14 or apply hotfix 10.2.13-h3+, Product: PAN-OS 11.1, Action: Upgrade to 11.1.7 or apply hotfix 11.1.6-h1/11.1.4-h13, Product: PAN-OS 11.2, Action: Upgrade to 11.2.5 or apply hotfixes, Product: Prisma Access, Action: Palo Alto Networks completing upgrades (except conflicting maintenance windows),
Communication Strategy: Public advisory with remediation guidanceCustomer notifications for Prisma Access upgrades
Incident : Vulnerability PAL1480714112625
Third Party Assistance: Xbow Researchers (Vulnerability Discovery).
Containment Measures: Disable Clientless VPN functionalityEnable Threat Prevention IDs 510003 and 510004 (Applications and Threats content version 8970)
Remediation Measures: Upgrade to patched PAN-OS versions (expected releases: June–August 2025)User awareness training for suspicious links
Communication Strategy: Public Advisory by Palo Alto Networks
Enhanced Monitoring: Monitor for exploitation attempts via Threat Prevention signatures
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Salesforce, Salesloft, Google’s Threat Intelligence Group, , XBOW Researchers (Vulnerability Discovery), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Supply Chain Attack PAL505090325
Type of Data Compromised: Business contact details, Sales account records, Case metadata, Social security numbers (transunion only)
Number of Records Exposed: Undisclosed (Palo Alto Networks, Zscaler, PagerDuty), 4.4 million (TransUnion)
Sensitivity of Data: Moderate (business contacts)High (SSNs for TransUnion)
Personally Identifiable Information: NamesEmail addressesJob titlesPhone numbersSocial Security numbers (TransUnion only)
Incident : Vulnerability PAL1480714112625
Type of Data Compromised: Session tokens, Credentials
Sensitivity of Data: High (authenticated session data)
Data Exfiltration: Potential (if credentials are stolen)
Personally Identifiable Information: Potential (if credentials include PII)
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Immediate updates to patched software versions, Upgrade to PAN-OS 11.2.6, 11.1.10, 10.2.14, or 10.1.14-h15, Strengthened customer authentication protocols (Zscaler), Reviewing internal safeguards (Palo Alto Networks), Customer notifications, , product: PAN-OS 10.2, action: Upgrade to 10.2.14 or apply hotfix 10.2.13-h3+, product: PAN-OS 11.1, action: Upgrade to 11.1.7 or apply hotfix 11.1.6-h1/11.1.4-h13, product: PAN-OS 11.2, action: Upgrade to 11.2.5 or apply hotfixes, product: Prisma Access, action: Palo Alto Networks completing upgrades (except conflicting maintenance windows), , Upgrade to patched PAN-OS versions (expected releases: June–August 2025), User awareness training for suspicious links, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by disabled vulnerable salesloft-drift integration (palo alto networks), revoked affected oauth tokens, launched third-party risk management investigation (zscaler), , urgent patching to remediated versions, hotfix application (e.g., 10.2.13-h3, 11.1.6-h1), , disable clientless vpn functionality, enable threat prevention ids 510003 and 510004 (applications and threats content version 8970) and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Supply Chain Attack PAL505090325
Data Exfiltration: True
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Supply Chain Attack PAL505090325
Lessons Learned: Third-party SaaS integrations introduce significant supply chain risk, even for cybersecurity firms., OAuth token management requires stricter oversight and monitoring., Rapid revocation of compromised tokens is critical to limiting exposure., Customer communication and transparency are essential to maintaining trust post-breach.
Incident : Denial-of-Service (DoS) PAL5292352111325
Lessons Learned: Criticality of prompt patching for network infrastructure vulnerabilities, Risks of DoS vulnerabilities enabling secondary attacks, Importance of maintenance windows for security updates
Incident : Vulnerability PAL1480714112625
Lessons Learned: Clientless VPN introduces elevated risk for reflected XSS vulnerabilities., Proof-of-concept exploits in the wild necessitate proactive mitigation even before active exploitation is observed., User training remains critical for mitigating social engineering-based attacks.
What recommendations were made to prevent future incidents ?
Incident : Denial of Service (DoS) PAL707041025
Recommendations: Immediate updates to patched software versions
Incident : Command Injection PAL304061225
Recommendations: Implement additional access controls limiting CLI access to essential personnel only.
Incident : Supply Chain Attack PAL505090325
Recommendations: Conduct third-party risk assessments for all SaaS integrations, especially those with OAuth access., Implement least-privilege access controls for third-party apps connected to CRM systems like Salesforce., Monitor for anomalous OAuth token usage or unexpected API calls from integrated apps., Enhance authentication protocols for customer support interactions to prevent social engineering., Educate employees and customers on phishing risks following data breaches involving contact details.Conduct third-party risk assessments for all SaaS integrations, especially those with OAuth access., Implement least-privilege access controls for third-party apps connected to CRM systems like Salesforce., Monitor for anomalous OAuth token usage or unexpected API calls from integrated apps., Enhance authentication protocols for customer support interactions to prevent social engineering., Educate employees and customers on phishing risks following data breaches involving contact details.Conduct third-party risk assessments for all SaaS integrations, especially those with OAuth access., Implement least-privilege access controls for third-party apps connected to CRM systems like Salesforce., Monitor for anomalous OAuth token usage or unexpected API calls from integrated apps., Enhance authentication protocols for customer support interactions to prevent social engineering., Educate employees and customers on phishing risks following data breaches involving contact details.Conduct third-party risk assessments for all SaaS integrations, especially those with OAuth access., Implement least-privilege access controls for third-party apps connected to CRM systems like Salesforce., Monitor for anomalous OAuth token usage or unexpected API calls from integrated apps., Enhance authentication protocols for customer support interactions to prevent social engineering., Educate employees and customers on phishing risks following data breaches involving contact details.Conduct third-party risk assessments for all SaaS integrations, especially those with OAuth access., Implement least-privilege access controls for third-party apps connected to CRM systems like Salesforce., Monitor for anomalous OAuth token usage or unexpected API calls from integrated apps., Enhance authentication protocols for customer support interactions to prevent social engineering., Educate employees and customers on phishing risks following data breaches involving contact details.
Incident : Denial-of-Service (DoS) PAL5292352111325
Recommendations: Immediately upgrade to patched PAN-OS versions (10.2.14, 11.1.7, 11.2.5+) or apply hotfixes, Prioritize remediation during next maintenance window for Prisma Access, Monitor for signs of exploitation (unexpected reboots, maintenance mode), Review decrypt policies and URL proxy configurations for exposure, Assess secondary attack surfaces exposed during firewall downtimeImmediately upgrade to patched PAN-OS versions (10.2.14, 11.1.7, 11.2.5+) or apply hotfixes, Prioritize remediation during next maintenance window for Prisma Access, Monitor for signs of exploitation (unexpected reboots, maintenance mode), Review decrypt policies and URL proxy configurations for exposure, Assess secondary attack surfaces exposed during firewall downtimeImmediately upgrade to patched PAN-OS versions (10.2.14, 11.1.7, 11.2.5+) or apply hotfixes, Prioritize remediation during next maintenance window for Prisma Access, Monitor for signs of exploitation (unexpected reboots, maintenance mode), Review decrypt policies and URL proxy configurations for exposure, Assess secondary attack surfaces exposed during firewall downtimeImmediately upgrade to patched PAN-OS versions (10.2.14, 11.1.7, 11.2.5+) or apply hotfixes, Prioritize remediation during next maintenance window for Prisma Access, Monitor for signs of exploitation (unexpected reboots, maintenance mode), Review decrypt policies and URL proxy configurations for exposure, Assess secondary attack surfaces exposed during firewall downtimeImmediately upgrade to patched PAN-OS versions (10.2.14, 11.1.7, 11.2.5+) or apply hotfixes, Prioritize remediation during next maintenance window for Prisma Access, Monitor for signs of exploitation (unexpected reboots, maintenance mode), Review decrypt policies and URL proxy configurations for exposure, Assess secondary attack surfaces exposed during firewall downtime
Incident : Vulnerability PAL1480714112625
Recommendations: Prioritize patching PAN-OS versions based on Clientless VPN usage., Disable Clientless VPN if not essential to operations., Deploy Threat Prevention signatures (IDs 510003, 510004) for affected systems., Conduct phishing simulation exercises to raise user awareness., Monitor for unusual activity in GlobalProtect portals/gateways.Prioritize patching PAN-OS versions based on Clientless VPN usage., Disable Clientless VPN if not essential to operations., Deploy Threat Prevention signatures (IDs 510003, 510004) for affected systems., Conduct phishing simulation exercises to raise user awareness., Monitor for unusual activity in GlobalProtect portals/gateways.Prioritize patching PAN-OS versions based on Clientless VPN usage., Disable Clientless VPN if not essential to operations., Deploy Threat Prevention signatures (IDs 510003, 510004) for affected systems., Conduct phishing simulation exercises to raise user awareness., Monitor for unusual activity in GlobalProtect portals/gateways.Prioritize patching PAN-OS versions based on Clientless VPN usage., Disable Clientless VPN if not essential to operations., Deploy Threat Prevention signatures (IDs 510003, 510004) for affected systems., Conduct phishing simulation exercises to raise user awareness., Monitor for unusual activity in GlobalProtect portals/gateways.Prioritize patching PAN-OS versions based on Clientless VPN usage., Disable Clientless VPN if not essential to operations., Deploy Threat Prevention signatures (IDs 510003, 510004) for affected systems., Conduct phishing simulation exercises to raise user awareness., Monitor for unusual activity in GlobalProtect portals/gateways.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Third-party SaaS integrations introduce significant supply chain risk, even for cybersecurity firms.,OAuth token management requires stricter oversight and monitoring.,Rapid revocation of compromised tokens is critical to limiting exposure.,Customer communication and transparency are essential to maintaining trust post-breach.Criticality of prompt patching for network infrastructure vulnerabilities,Risks of DoS vulnerabilities enabling secondary attacks,Importance of maintenance windows for security updatesClientless VPN introduces elevated risk for reflected XSS vulnerabilities.,Proof-of-concept exploits in the wild necessitate proactive mitigation even before active exploitation is observed.,User training remains critical for mitigating social engineering-based attacks.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Immediate updates to patched software versions and Implement additional access controls limiting CLI access to essential personnel only..
References
Where can I find more information about each incident ?
Incident : Supply Chain Attack PAL505090325
Source: Palo Alto Networks Customer Notification (via LinkedIn)
Date Accessed: 2025-08-23
Incident : Supply Chain Attack PAL505090325
Source: Google’s Threat Intelligence Group Investigation
Incident : Denial-of-Service (DoS) PAL5292352111325
Source: Palo Alto Networks Security Advisory
Incident : Vulnerability PAL1480714112625
Source: Palo Alto Networks Security Advisory
Incident : Vulnerability PAL1480714112625
Source: XBOW Research
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: PagerDuty Public ReportDate Accessed: 2025-08-23, and Source: Zscaler Official BlogDate Accessed: 2025-08-23, and Source: Palo Alto Networks Customer Notification (via LinkedIn)Date Accessed: 2025-08-23, and Source: Google’s Threat Intelligence Group Investigation, and Source: Palo Alto Networks Security Advisory, and Source: Palo Alto Networks Security Advisory, and Source: XBOW Research.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Supply Chain Attack PAL505090325
Investigation Status: Ongoing (Google’s Threat Intelligence Group and affected companies)
Incident : Denial-of-Service (DoS) PAL5292352111325
Investigation Status: Ongoing (no active exploitation detected; patches released)
Incident : Vulnerability PAL1480714112625
Investigation Status: Ongoing (no confirmed malicious exploitation reported as of disclosure)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Disclosures (Pagerduty, Zscaler, Palo Alto Networks), Customer Advisories (E.G., Palo Alto Networks Via Linkedin), Recommendations For Heightened Phishing Vigilance, Public Advisory With Remediation Guidance, Customer Notifications For Prisma Access Upgrades and Public Advisory By Palo Alto Networks.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Supply Chain Attack PAL505090325
Stakeholder Advisories: Customers Advised To Monitor For Phishing Attempts (Zscaler, Pagerduty)., Palo Alto Networks Notified Impacted Customers Directly., Transunion Disclosed Breach To Affected 4.4 Million Us Consumers..
Customer Advisories: PagerDuty: 'We will never contact anyone by phone to request a password or any other secure details.'Zscaler: 'No evidence of misuse found, but customers should maintain heightened vigilance for phishing.'Palo Alto Networks: Reviewing internal safeguards to prevent future incidents.
Incident : Denial-of-Service (DoS) PAL5292352111325
Stakeholder Advisories: Public Security Advisory Issued By Palo Alto Networks.
Customer Advisories: Direct notifications to Prisma Access customers for patch scheduling
Incident : Vulnerability PAL1480714112625
Stakeholder Advisories: Palo Alto Networks Customers Using Affected Pan-Os Versions.
Customer Advisories: Apply mitigations immediately if Clientless VPN is enabled.Await official patches for long-term remediation.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Customers Advised To Monitor For Phishing Attempts (Zscaler, Pagerduty)., Palo Alto Networks Notified Impacted Customers Directly., Transunion Disclosed Breach To Affected 4.4 Million Us Consumers., Pagerduty: 'We Will Never Contact Anyone By Phone To Request A Password Or Any Other Secure Details.', Zscaler: 'No Evidence Of Misuse Found, But Customers Should Maintain Heightened Vigilance For Phishing.', Palo Alto Networks: Reviewing Internal Safeguards To Prevent Future Incidents., , Public Security Advisory Issued By Palo Alto Networks, Direct Notifications To Prisma Access Customers For Patch Scheduling, , Palo Alto Networks Customers Using Affected Pan-Os Versions, Apply Mitigations Immediately If Clientless Vpn Is Enabled., Await Official Patches For Long-Term Remediation. and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Command Injection PAL304061225
Entry Point: CLI access
Incident : Supply Chain Attack PAL505090325
Entry Point: Salesloft Drift (third-party SaaS application)
High Value Targets: Salesforce Instances Of Cybersecurity/Tech Firms,
Data Sold on Dark Web: Salesforce Instances Of Cybersecurity/Tech Firms,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Command Injection PAL304061225
Root Causes: Insufficient input validation within the PAN-OS CLI interface
Corrective Actions: Patching and restricting administrative access
Incident : Supply Chain Attack PAL505090325
Root Causes: Inadequate Security Controls For Oauth Tokens In Salesloft Drift., Over-Permissive Third-Party App Integrations With Salesforce., Lack Of Real-Time Monitoring For Anomalous Token Usage.,
Corrective Actions: Disabled Vulnerable Integrations (Palo Alto Networks)., Revoked Compromised Oauth Tokens., Enhanced Authentication Protocols (Zscaler)., Third-Party Risk Management Investigations Launched.,
Incident : Denial-of-Service (DoS) PAL5292352111325
Root Causes: Improper Checks For Unusual Conditions (Cwe-754), Pointer Manipulation Vulnerability (Capec-129), Lack Of Input Validation In Data Plane Packet Handling,
Corrective Actions: Code Fixes In Patched Pan-Os Versions To Validate Data Plane Inputs, Enhanced Testing For Dos Resilience In Firewall Software, Proactive Hotfix Distribution For Critical Vulnerabilities,
Incident : Vulnerability PAL1480714112625
Root Causes: Improper Input Neutralization In Globalprotect Captive Portal Web Page Generation., Lack Of Default Protections Against Reflected Xss In Clientless Vpn Configurations.,
Corrective Actions: Code-Level Fixes In Upcoming Pan-Os Patches., Enhanced Threat Prevention Signatures For Xss Detection.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Salesforce, Salesloft, Google’S Threat Intelligence Group, , Heightened Vigilance For Phishing (Recommended To Customers), , Xbow Researchers (Vulnerability Discovery), , Monitor For Exploitation Attempts Via Threat Prevention Signatures, .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Patching and restricting administrative access, Disabled Vulnerable Integrations (Palo Alto Networks)., Revoked Compromised Oauth Tokens., Enhanced Authentication Protocols (Zscaler)., Third-Party Risk Management Investigations Launched., , Code Fixes In Patched Pan-Os Versions To Validate Data Plane Inputs, Enhanced Testing For Dos Resilience In Firewall Software, Proactive Hotfix Distribution For Critical Vulnerabilities, , Code-Level Fixes In Upcoming Pan-Os Patches., Enhanced Threat Prevention Signatures For Xss Detection., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an Unauthenticated Attackers and UNC6395.
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2025-08-20.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-08-23.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Business contact details (names, email addresses, job titles, phone numbers), Sales account records, Case metadata, , User Session Cookies, Credentials and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident were Salesforce instances (via third-party integration)Salesloft Drift app and T, y, p, e, :, , P, A, -, S, e, r, i, e, s, , F, i, r, e, w, a, l, l, s, ,, V, e, r, s, i, o, n, s, :, , 1, 0, ., 2, , (, a, l, l, , ≤, , 1, 0, ., 2, ., 1, 3, ), ,, , 1, 1, ., 1, , (, a, l, l, , ≤, , 1, 1, ., 1, ., 6, ), ,, , 1, 1, ., 2, , (, <, , 1, 1, ., 2, ., 5, ), ,, T, y, p, e, :, , V, M, -, S, e, r, i, e, s, , F, i, r, e, w, a, l, l, s, ,, V, e, r, s, i, o, n, s, :, , 1, 0, ., 2, , (, a, l, l, , ≤, , 1, 0, ., 2, ., 1, 3, ), ,, , 1, 1, ., 1, , (, a, l, l, , ≤, , 1, 1, ., 1, ., 6, ), ,, , 1, 1, ., 2, , (, <, , 1, 1, ., 2, ., 5, ), ,, T, y, p, e, :, , P, r, i, s, m, a, , A, c, c, e, s, s, ,, V, e, r, s, i, o, n, s, :, , U, n, d, e, r, l, y, i, n, g, , P, A, N, -, O, S, , v, e, r, s, i, o, n, s, , (, s, e, e, , a, b, o, v, e, ), ,, and GlobalProtect GatewayGlobalProtect PortalClientless VPN.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was salesforce, salesloft, google’s threat intelligence group, , xbow researchers (vulnerability discovery), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Disabled vulnerable Salesloft-Drift integration (Palo Alto Networks)Revoked affected OAuth tokensLaunched third-party risk management investigation (Zscaler), Urgent patching to remediated versionsHotfix application (e.g., 10.2.13-h3, 11.1.6-h1) and Disable Clientless VPN functionalityEnable Threat Prevention IDs 510003 and 510004 (Applications and Threats content version 8970).
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Sales account records, Case metadata, User Session Cookies, Business contact details (names, email addresses, job titles, phone numbers) and Credentials.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 4.4M.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was User training remains critical for mitigating social engineering-based attacks.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Assess secondary attack surfaces exposed during firewall downtime, Prioritize patching PAN-OS versions based on Clientless VPN usage., Immediate updates to patched software versions, Monitor for unusual activity in GlobalProtect portals/gateways., Deploy Threat Prevention signatures (IDs 510003, 510004) for affected systems., Implement least-privilege access controls for third-party apps connected to CRM systems like Salesforce., Monitor for anomalous OAuth token usage or unexpected API calls from integrated apps., Enhance authentication protocols for customer support interactions to prevent social engineering., Disable Clientless VPN if not essential to operations., Immediately upgrade to patched PAN-OS versions (10.2.14, 11.1.7, 11.2.5+) or apply hotfixes, Prioritize remediation during next maintenance window for Prisma Access, Educate employees and customers on phishing risks following data breaches involving contact details., Conduct phishing simulation exercises to raise user awareness., Monitor for signs of exploitation (unexpected reboots, maintenance mode), Review decrypt policies and URL proxy configurations for exposure, Implement additional access controls limiting CLI access to essential personnel only., Conduct third-party risk assessments for all SaaS integrations and especially those with OAuth access..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are PagerDuty Public Report, Zscaler Official Blog, Palo Alto Networks Security Advisory, XBOW Research, Palo Alto Networks Customer Notification (via LinkedIn) and Google’s Threat Intelligence Group Investigation.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (Google’s Threat Intelligence Group and affected companies).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Customers advised to monitor for phishing attempts (Zscaler, PagerDuty)., Palo Alto Networks notified impacted customers directly., TransUnion disclosed breach to affected 4.4 million US consumers., Public security advisory issued by Palo Alto Networks, Palo Alto Networks customers using affected PAN-OS versions, .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an PagerDuty: 'We will never contact anyone by phone to request a password or any other secure details.'Zscaler: 'No evidence of misuse found, but customers should maintain heightened vigilance for phishing.'Palo Alto Networks: Reviewing internal safeguards to prevent future incidents., Direct notifications to Prisma Access customers for patch scheduling and Apply mitigations immediately if Clientless VPN is enabled.Await official patches for long-term remediation.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an CLI access and Salesloft Drift (third-party SaaS application).
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Insufficient input validation within the PAN-OS CLI interface, Inadequate security controls for OAuth tokens in Salesloft Drift.Over-permissive third-party app integrations with Salesforce.Lack of real-time monitoring for anomalous token usage., Improper checks for unusual conditions (CWE-754)Pointer manipulation vulnerability (CAPEC-129)Lack of input validation in data plane packet handling, Improper input neutralization in GlobalProtect Captive Portal web page generation.Lack of default protections against reflected XSS in Clientless VPN configurations..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Patching and restricting administrative access, Disabled vulnerable integrations (Palo Alto Networks).Revoked compromised OAuth tokens.Enhanced authentication protocols (Zscaler).Third-party risk management investigations launched., Code fixes in patched PAN-OS versions to validate data plane inputsEnhanced testing for DoS resilience in firewall softwareProactive hotfix distribution for critical vulnerabilities, Code-level fixes in upcoming PAN-OS patches.Enhanced Threat Prevention signatures for XSS detection..
.png)
Latest Global CVEs (Not Company-Specific)
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Risk Information
cvss4
Base: 7.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
- https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f
- https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc
- https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e
- https://github.com/angular/angular/releases/tag/19.2.16
- https://github.com/angular/angular/releases/tag/20.3.14
- https://github.com/angular/angular/releases/tag/21.0.1
- https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 8.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 6.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=palo-alto-networks' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
