PSPAN
Company Details
Linkedin ID:
prisma-sase-by-palo-alto-networks
Employees number:
19
Number of followers:
21,873
NAICS:
51125
Industry Type:
Homepage:
paloaltonetworks.com
IP Addresses:
0
Company ID:
PRI_7813473
Scan Status:
In-progress
Prisma SASE by Palo Alto Networks Company CyberSecurity Posture
paloaltonetworks.com
Palo Alto Networks Prisma SASE is the industry’s most complete single-vendor SASE solution, helping organizations automate costly and complex IT operations with AI-powered Autonomous Digital Experience Management (ADEM); connect and secure branch offices and the hybrid workforce with SD-WAN, ZTNA 2.0, and Cloud SWG; and unlock better ROI through consolidation of point solutions into a single cloud-delivered service.
Prisma SASE by Palo Alto Networks A.I CyberSecurity Scoring
PSPAN Risk Score (AI oriented)Between 750 and 799
PSPAN
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
PSPAN Global Score (TPRM)XXXX
PSPAN
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
PSPAN Company CyberSecurity News & History
Past Incidents
5
Attack Types
2
Palo Alto Networks
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Palo Alto Networks fell victim to a sophisticated **supply chain cyberattack** after threat actors (UNC6395) exploited a **vulnerability in Salesloft Drift**, a third-party sales/marketing SaaS tool integrated with Salesforce. The attackers stole **OAuth tokens**, granting unauthorized access to Palo Alto’s **Salesforce instance**. While the breach was confined to **business contact details** (names, emails, job titles, phone numbers), **sales account records**, and **case metadata**, it exposed sensitive customer data tied to major tech firms. The company **disabled the compromised integration**, revoked affected tokens, and collaborated with Salesforce/Salesloft for forensic analysis. No evidence suggested misuse of the exposed data, but the incident underscored risks in **third-party dependencies**. Customers were notified, and internal safeguards were reviewed to mitigate future threats. The attack aligns with a broader trend targeting **Salesforce ecosystems**, including TransUnion’s recent breach affecting 4.4M US consumers.
Palo Alto Networks
Vulnerability
Rankiteo Explanation
Attack without any consequences: Attack in which data is not compromised
Description: A newly disclosed command injection vulnerability in Palo Alto Networks’ PAN-OS operating system poses significant security risks to enterprise firewall infrastructures worldwide. The vulnerability, catalogued as CVE-2025-4230, enables authenticated administrators with command-line interface (CLI) access to execute arbitrary commands with root-level privileges, potentially compromising entire network security architectures. This flaw allows malicious actors to exploit insufficient input validation within the PAN-OS CLI interface, enabling them to bypass system restrictions and execute unauthorized commands with elevated privileges.
Palo Alto Networks
Vulnerability
Rankiteo Explanation
Attack limited on finance or reputation
Description: A critical **denial-of-service (DoS) vulnerability (CVE-TBD)** in **Palo Alto Networks’ PAN-OS** allows unauthenticated attackers to remotely reboot firewalls by sending maliciously crafted packets via the data plane. Repeated exploits can force firewalls into **maintenance mode**, disabling network protections and exposing organizations to **secondary attacks**. The flaw affects **PA-Series, VM-Series firewalls, and Prisma Access** (excluding Cloud NGFW) across multiple PAN-OS versions (10.2, 11.1, 11.2), with **no evidence of active exploitation** yet. The issue stems from **improper exception handling (CWE-754)** and **pointer manipulation (CAPEC-129)**, requiring **no authentication or user interaction**. While Palo Alto Networks assigned a **CVSS 8.7 (MEDIUM severity, MODERATE urgency)**, the vulnerability’s **network-based, no-authentication exploitability** poses significant risk to **critical infrastructure**. Affected organizations lack workarounds, making **immediate patching** essential. Unpatched systems face **operational disruption**, potential **follow-on attacks**, and **loss of firewall resilience**, though no data breaches or ransomware are reported. Remediation requires upgrades to **PAN-OS 10.2.14, 11.1.7, or 11.2.5** (or hotfixes), with Prisma Access patches pending for some deployments.
Palo Alto Networks
Vulnerability
Rankiteo Explanation
Attack limited on finance or reputation
Description: Palo Alto Networks disclosed a **reflected cross-site scripting (XSS) vulnerability (CVE-2025-0133)** in its **GlobalProtect gateway and portal** (PAN-OS software). The flaw allows attackers to execute malicious JavaScript in authenticated users' browsers via crafted links, enabling **credential theft** through phishing. While the default CVSS score is **2.0 (Low)**, it escalates to **5.5 (Medium)** when **Clientless VPN** is enabled. Proof-of-concept (PoC) exploit code is already public, increasing the risk of active exploitation before patches (expected **June–August 2025**) are deployed.The vulnerability affects multiple PAN-OS versions (11.2, 11.1, 10.2, 10.1) and **Cloud NGFW**, but **Prisma Access** is unaffected. Mitigations include upgrading to patched versions, enabling Threat Prevention IDs (510003, 510004), or disabling Clientless VPN. Though no confirmed malicious exploitation exists yet, the **social engineering risk**—tricking users into clicking malicious links—poses a **significant threat to authentication integrity**, particularly for organizations relying on Clientless VPN. Urgent action is advised to prevent credential compromise and downstream attacks.
Palo Alto Networks
Vulnerability
Rankiteo Explanation
Attack without any consequences
Description: Palo Alto Networks' PAN-OS software was found to contain a significant denial-of-service (DoS) vulnerability, labeled CVE-2025-0128, affecting several versions and potentially putting organizations at risk of service interruptions. Unauthenticated attackers could exploit this vulnerability to force system reboots and maintenance mode engagement, leading to service unavailability for those reliant on the company's firewall appliances. The security flaw, while rated 'MEDIUM' in severity due to a CVSS score of 6.6, has a high impact on availability, albeit not directly threatening data confidentiality or integrity. Security recommendations encourage immediate updates to patched software versions to prevent exploitation.
PSPAN Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for PSPAN
Incidents vs Computer Networking Products Industry Average (This Year)
No incidents recorded for Prisma SASE by Palo Alto Networks in 2025.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Prisma SASE by Palo Alto Networks in 2025.
Incident Types PSPAN vs Computer Networking Products Industry Avg (This Year)
No incidents recorded for Prisma SASE by Palo Alto Networks in 2025.
Incident History — PSPAN (X = Date, Y = Severity)
PSPAN cyber incidents detection timeline including parent company and subsidiaries
PSPAN Company Subsidiaries
Palo Alto Networks Prisma SASE is the industry’s most complete single-vendor SASE solution, helping organizations automate costly and complex IT operations with AI-powered Autonomous Digital Experience Management (ADEM); connect and secure branch offices and the hybrid workforce with SD-WAN, ZTNA 2.0, and Cloud SWG; and unlock better ROI through consolidation of point solutions into a single cloud-delivered service.
Loading...
PSPAN Similar Companies
CrowdStrike
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk — endpoints and cloud workloads, identity and data. Powered by the CrowdStrike Security Cloud and world-clas
Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world's greatest s
.png)
PSPAN CyberSecurity News
November 09, 2025 02:45 AM
Palo Alto Networks reinvents AI security with Prisma AIRS 2.0
Discover Palo Alto Networks' Prisma AIRS 2.0, the top solution for securing AI with advanced features for enterprises and robust protection.
September 16, 2025 07:09 AM
Secure Enterprise Browser | Prisma Browser
Meet the only secure browser natively integrated with SASE. Prisma Browser extends SASE protection seamlessly to every device, bringing unmatched agility,...
September 11, 2025 07:00 AM
Prisma SASE a Leader in Forrester Wave: Secure Access Service Edge
Forrester has named Palo Alto Networks a Leader in its newly released report, The Forrester Wave™: Secure Access Service Edge Solutions,...
September 08, 2025 07:00 AM
Palo Alto Networks SASE platform protects against threats originating inside browsers
Prisma SASE 4.0 includes a secure browser layer to defend against threats originating inside end users' browsers.
September 08, 2025 01:48 AM
Palo Alto Networks Strengthens Cybersecurity with Prisma Browser & AI-driven SASE Solution
Palo Alto Networks Strengthens Cybersecurity with Prisma Browser & AI-driven SASE Solution ... Palo Alto Networks, the global cybersecurity leader, announced...
September 05, 2025 07:00 AM
Palo Alto Networks expands Prisma SASE: AI versus AI
Palo Alto Networks launches Prisma SASE 4.0 with AI security features for threat detection and automatic application security.
September 05, 2025 07:00 AM
Palo Alto Networks' SASE updates tackle AI shadows and agents
Prisma introduces dedicated SaaS Security Posture Management (SSPM)
September 04, 2025 07:00 AM
Palo Alto Networks Unveils Protection for Highly Evasive Threats with Prisma Browser, Extending SASE Leadership
PRNewswire/ -- Today, Palo Alto Networks® (NASDAQ: PANW), the global cybersecurity leader, announced Prisma® SASE 4.0, the industry's most...
September 04, 2025 07:00 AM
$1.3 Billion SASE Revenue: Palo Alto Networks Launches Game-Changing Browser Security Platform for AI Era
Palo Alto Networks introduces Prisma SASE 4.0 with real-time browser threat protection, AI data classification, and private app security.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
PSPAN CyberSecurity History Information
Official Website of Prisma SASE by Palo Alto Networks
The official website of Prisma SASE by Palo Alto Networks is https://www.paloaltonetworks.com/sase.
Prisma SASE by Palo Alto Networks’s AI-Generated Cybersecurity Score
According to Rankiteo, Prisma SASE by Palo Alto Networks’s AI-generated cybersecurity score is 750, reflecting their Fair security posture.
How many security badges does Prisma SASE by Palo Alto Networks’ have ?
According to Rankiteo, Prisma SASE by Palo Alto Networks currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Prisma SASE by Palo Alto Networks have SOC 2 Type 1 certification ?
According to Rankiteo, Prisma SASE by Palo Alto Networks is not certified under SOC 2 Type 1.
Does Prisma SASE by Palo Alto Networks have SOC 2 Type 2 certification ?
According to Rankiteo, Prisma SASE by Palo Alto Networks does not hold a SOC 2 Type 2 certification.
Does Prisma SASE by Palo Alto Networks comply with GDPR ?
According to Rankiteo, Prisma SASE by Palo Alto Networks is not listed as GDPR compliant.
Does Prisma SASE by Palo Alto Networks have PCI DSS certification ?
According to Rankiteo, Prisma SASE by Palo Alto Networks does not currently maintain PCI DSS compliance.
Does Prisma SASE by Palo Alto Networks comply with HIPAA ?
According to Rankiteo, Prisma SASE by Palo Alto Networks is not compliant with HIPAA regulations.
Does Prisma SASE by Palo Alto Networks have ISO 27001 certification ?
According to Rankiteo,Prisma SASE by Palo Alto Networks is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Prisma SASE by Palo Alto Networks
Prisma SASE by Palo Alto Networks operates primarily in the Computer Networking Products industry.
Number of Employees at Prisma SASE by Palo Alto Networks
Prisma SASE by Palo Alto Networks employs approximately 19 people worldwide.
Subsidiaries Owned by Prisma SASE by Palo Alto Networks
Prisma SASE by Palo Alto Networks presently has no subsidiaries across any sectors.
Prisma SASE by Palo Alto Networks’s LinkedIn Followers
Prisma SASE by Palo Alto Networks’s official LinkedIn profile has approximately 21,873 followers.
NAICS Classification of Prisma SASE by Palo Alto Networks
Prisma SASE by Palo Alto Networks is classified under the NAICS code 51125, which corresponds to Software Publishers.
Prisma SASE by Palo Alto Networks’s Presence on Crunchbase
No, Prisma SASE by Palo Alto Networks does not have a profile on Crunchbase.
Prisma SASE by Palo Alto Networks’s Presence on LinkedIn
Yes, Prisma SASE by Palo Alto Networks maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/prisma-sase-by-palo-alto-networks.
Cybersecurity Incidents Involving Prisma SASE by Palo Alto Networks
As of November 28, 2025, Rankiteo reports that Prisma SASE by Palo Alto Networks has experienced 5 cybersecurity incidents.
Number of Peer and Competitor Companies
Prisma SASE by Palo Alto Networks has an estimated 949 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Prisma SASE by Palo Alto Networks ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach and Vulnerability.
How does Prisma SASE by Palo Alto Networks detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with immediate updates to patched software versions, and remediation measures with upgrade to pan-os 11.2.6, 11.1.10, 10.2.14, or 10.1.14-h15, and and third party assistance with salesforce, third party assistance with salesloft, third party assistance with google’s threat intelligence group, and containment measures with disabled vulnerable salesloft-drift integration (palo alto networks), containment measures with revoked affected oauth tokens, containment measures with launched third-party risk management investigation (zscaler), and remediation measures with strengthened customer authentication protocols (zscaler), remediation measures with reviewing internal safeguards (palo alto networks), remediation measures with customer notifications, and communication strategy with public disclosures (pagerduty, zscaler, palo alto networks), communication strategy with customer advisories (e.g., palo alto networks via linkedin), communication strategy with recommendations for heightened phishing vigilance, and enhanced monitoring with heightened vigilance for phishing (recommended to customers), and containment measures with urgent patching to remediated versions, containment measures with hotfix application (e.g., 10.2.13-h3, 11.1.6-h1), and product with pan-os 10.2, action with upgrade to 10.2.14 or apply hotfix 10.2.13-h3+, product with pan-os 11.1, action with upgrade to 11.1.7 or apply hotfix 11.1.6-h1/11.1.4-h13, product with pan-os 11.2, action with upgrade to 11.2.5 or apply hotfixes, product with prisma access, action with palo alto networks completing upgrades (except conflicting maintenance windows), and communication strategy with public advisory with remediation guidance, communication strategy with customer notifications for prisma access upgrades, and third party assistance with xbow researchers (vulnerability discovery), and containment measures with disable clientless vpn functionality, containment measures with enable threat prevention ids 510003 and 510004 (applications and threats content version 8970), and remediation measures with upgrade to patched pan-os versions (expected releases: june–august 2025), remediation measures with user awareness training for suspicious links, and communication strategy with public advisory by palo alto networks, and enhanced monitoring with monitor for exploitation attempts via threat prevention signatures..
Incident Details
Can you provide details on each incident ?
Title: Palo Alto Networks PAN-OS DoS Vulnerability
Description: Palo Alto Networks' PAN-OS software was found to contain a significant denial-of-service (DoS) vulnerability, labeled CVE-2025-0128, affecting several versions and potentially putting organizations at risk of service interruptions. Unauthenticated attackers could exploit this vulnerability to force system reboots and maintenance mode engagement, leading to service unavailability for those reliant on the company's firewall appliances. The security flaw, while rated 'MEDIUM' in severity due to a CVSS score of 6.6, has a high impact on availability, albeit not directly threatening data confidentiality or integrity. Security recommendations encourage immediate updates to patched software versions to prevent exploitation.
Type: Denial of Service (DoS)
Attack Vector: Unauthenticated Exploitation
Vulnerability Exploited: CVE-2025-0128
Threat Actor: Unauthenticated Attackers
Title: PAN-OS Admin Command Injection Vulnerability
Description: A newly disclosed command injection vulnerability in Palo Alto Networks’ PAN-OS operating system poses significant security risks to enterprise firewall infrastructures worldwide.
Date Publicly Disclosed: 2025-06-11
Type: Command Injection
Attack Vector: Authenticated administrator with CLI access
Vulnerability Exploited: CVE-2025-4230
Title: Supply Chain Breach via Salesloft Drift Exploit Targeting Salesforce Data
Description: Hackers exploited the Salesloft Drift app to steal OAuth tokens and access Salesforce data, exposing customer details at major tech firms including Palo Alto Networks, Zscaler, and PagerDuty. The attack was a supply chain breach targeting a third-party sales/marketing SaaS application, leading to unauthorized access to Salesforce accounts of hundreds of companies. Exposed data included business contact details (names, emails, job titles, phone numbers) but no core products or infrastructure were compromised.
Date Detected: 2025-08-20
Date Publicly Disclosed: 2025-08-23
Type: Supply Chain Attack
Attack Vector: Third-Party Vulnerability ExploitationOAuth Token TheftSalesforce Integration Abuse
Vulnerability Exploited: Unspecified vulnerability in Salesloft Drift's OAuth token management
Threat Actor: UNC6395
Motivation: Data TheftPotential Phishing/Follow-on AttacksFinancial Gain (likely)
Title: Critical Denial-of-Service Vulnerability in Palo Alto Networks PAN-OS Software
Description: A critical denial-of-service vulnerability (CVE-TBD) has been identified in Palo Alto Networks PAN-OS software that allows unauthenticated attackers to remotely reboot firewalls by crafting specially designed packets through the data plane. Repeated reboot attempts can force affected firewalls into maintenance mode, disabling network protection capabilities and leaving organizations vulnerable to secondary attacks. The vulnerability impacts PA-Series firewalls, VM-Series firewalls, and Prisma Access deployments across multiple PAN-OS versions (excluding Cloud NGFW). It manifests only on firewalls with URL proxy or any decrypt policy configured (including explicit decrypt, explicit no-decrypt, or no-matching policies). The issue stems from improper checks for unusual conditions (CWE-754) and pointer manipulation (CAPEC-129). Palo Alto Networks assigned a CVSS base score of 8.7 (MEDIUM severity, MODERATE urgency) and reports no evidence of active exploitation in the wild. Remediation requires patching to specific versions (e.g., PAN-OS 10.2.14, 11.1.7, or 11.2.5) or applying hotfixes, with no workarounds available for unpatched systems.
Type: Denial-of-Service (DoS)
Attack Vector: Network-based (no authentication or user interaction required)
Vulnerability Exploited: CVE-TBDCWE-754 (Improper Check for Unusual or Exceptional Conditions)CAPEC-129 (Pointer Manipulation)Cvss Score: {'base': 8.7, 'behavioral': 6.6}, Severity: MEDIUM, Urgency: MODERATE.
Title: Palo Alto Networks GlobalProtect Reflected XSS Vulnerability (CVE-2025-0133)
Description: Palo Alto Networks has disclosed a reflected cross-site scripting (XSS) vulnerability, tracked as CVE-2025-0133, affecting the GlobalProtect gateway and portal features of its PAN-OS software. The flaw enables execution of malicious JavaScript in authenticated Captive Portal user browsers when victims click specially crafted links. It poses a significant threat to organizations utilizing the Clientless VPN feature. The vulnerability is rated low severity (CVSS Base Score 2.0) under default configurations but elevates to MEDIUM (CVSS 5.5) when Clientless VPN is enabled. XBOW researchers identified this vulnerability, which enables attackers to create convincing phishing and credential-stealing links that appear legitimately hosted on the GlobalProtect portal. Proof-of-concept exploit code is already available in the wild, increasing urgency for mitigation.
Type: Vulnerability
Attack Vector: Social EngineeringMalicious LinksPhishing
Vulnerability Exploited: Cve Id: CVE-2025-0133, Cwe Id: CWE-79, Capec Id: CAPEC-591, Cvss Score: {'default': 2.0, 'clientless_vpn_enabled': 5.5}, Cvss Vector: None, Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GlobalProtect gateway/portal Captive Portal.
Motivation: Credential TheftPhishingSession Hijacking
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Vulnerability.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through CLI access and Salesloft Drift (third-party SaaS application).
Impact of the Incidents
What was the impact of each incident ?
Incident : Denial of Service (DoS) PAL707041025
Systems Affected: Firewall appliances
Downtime: System reboots and maintenance mode engagement
Operational Impact: Service unavailability
Incident : Command Injection PAL304061225
Systems Affected: PAN-OS 11.2 versions prior to 11.2.6, PAN-OS 11.1 versions before 11.1.10, PAN-OS 10.2 versions earlier than 10.2.14, and PAN-OS 10.1 versions before 10.1.14-h15
Incident : Supply Chain Attack PAL505090325
Data Compromised: Business contact details (names, email addresses, job titles, phone numbers), Sales account records, Case metadata
Systems Affected: Salesforce instances (via third-party integration)Salesloft Drift app
Operational Impact: Heightened vigilance required for phishingThird-party risk investigationsCustomer notificationsAuthentication protocol reviews
Brand Reputation Impact: Potential erosion of trust in third-party integrationsReputational risk for affected firms (Palo Alto Networks, Zscaler, PagerDuty)
Identity Theft Risk: ['Low (business contact details only)', 'Phishing risk elevated']
Incident : Denial-of-Service (DoS) PAL5292352111325
Systems Affected: Type: PA-Series Firewalls, Versions: 10.2 (all ≤ 10.2.13), 11.1 (all ≤ 11.1.6), 11.2 (< 11.2.5), Type: VM-Series Firewalls, Versions: 10.2 (all ≤ 10.2.13), 11.1 (all ≤ 11.1.6), 11.2 (< 11.2.5), Type: Prisma Access, Versions: Underlying PAN-OS versions (see above).
Downtime: Potential extended downtime due to forced maintenance mode and secondary attack exposure
Operational Impact: Loss of firewall protection, network disruption, vulnerability to follow-on attacks
Brand Reputation Impact: Potential reputational damage due to security posture degradation
Incident : Vulnerability PAL1480714112625
Data Compromised: User session cookies, Credentials
Systems Affected: GlobalProtect GatewayGlobalProtect PortalClientless VPN
Operational Impact: Increased Phishing RiskCompromised User Sessions
Brand Reputation Impact: Potential Loss of Trust Due to Phishing Risks
Identity Theft Risk: ['High (if credentials are stolen)']
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Business Contact Details, Sales Account Records, Case Metadata, Social Security Numbers (Transunion Only), , Session Tokens, Credentials and .
Which entities were affected by each incident ?
Incident : Denial of Service (DoS) PAL707041025
Entity Name: Palo Alto Networks
Entity Type: Organization
Industry: Cybersecurity
Incident : Command Injection PAL304061225
Entity Name: Palo Alto Networks
Entity Type: Enterprise
Industry: Network Security
Incident : Supply Chain Attack PAL505090325
Entity Name: Palo Alto Networks
Entity Type: Public Company
Industry: Cybersecurity
Location: Santa Clara, California, USA
Size: Large Enterprise
Customers Affected: Not specified (business contact details exposed)
Incident : Supply Chain Attack PAL505090325
Entity Name: Zscaler
Entity Type: Public Company
Industry: Cybersecurity
Location: San Jose, California, USA
Size: Large Enterprise
Customers Affected: Not specified (business contact details exposed)
Incident : Supply Chain Attack PAL505090325
Entity Name: PagerDuty
Entity Type: Public Company
Industry: IT Operations/Incident Response
Location: San Francisco, California, USA
Size: Mid-to-Large Enterprise
Customers Affected: Not specified (business contact details exposed)
Incident : Supply Chain Attack PAL505090325
Entity Name: TransUnion
Entity Type: Public Company
Industry: Credit Reporting
Location: Chicago, Illinois, USA
Size: Large Enterprise
Customers Affected: 4.4 million US consumers (including Social Security numbers)
Incident : Supply Chain Attack PAL505090325
Entity Name: Salesloft (Drift integration)
Entity Type: Private Company (SaaS)
Industry: Sales Engagement Platform
Location: Atlanta, Georgia, USA
Size: Mid-to-Large Enterprise
Customers Affected: Hundreds of companies (via OAuth token theft)
Incident : Denial-of-Service (DoS) PAL5292352111325
Entity Name: Palo Alto Networks
Entity Type: Cybersecurity Vendor
Industry: Network Security
Location: Santa Clara, California, USA
Customers Affected: Organizations using vulnerable PAN-OS versions (PA-Series, VM-Series, Prisma Access)
Incident : Denial-of-Service (DoS) PAL5292352111325
Entity Name: Organizations using affected PAN-OS versions
Entity Type: Enterprises, Government Agencies, Service Providers
Location: Global
Incident : Vulnerability PAL1480714112625
Entity Name: Palo Alto Networks
Entity Type: Organization
Industry: Cybersecurity
Location: Santa Clara, California, USA
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Denial of Service (DoS) PAL707041025
Remediation Measures: Immediate updates to patched software versions
Incident : Command Injection PAL304061225
Remediation Measures: Upgrade to PAN-OS 11.2.6, 11.1.10, 10.2.14, or 10.1.14-h15
Incident : Supply Chain Attack PAL505090325
Incident Response Plan Activated: True
Third Party Assistance: Salesforce, Salesloft, Google’S Threat Intelligence Group.
Containment Measures: Disabled vulnerable Salesloft-Drift integration (Palo Alto Networks)Revoked affected OAuth tokensLaunched third-party risk management investigation (Zscaler)
Remediation Measures: Strengthened customer authentication protocols (Zscaler)Reviewing internal safeguards (Palo Alto Networks)Customer notifications
Communication Strategy: Public disclosures (PagerDuty, Zscaler, Palo Alto Networks)Customer advisories (e.g., Palo Alto Networks via LinkedIn)Recommendations for heightened phishing vigilance
Enhanced Monitoring: Heightened vigilance for phishing (recommended to customers)
Incident : Denial-of-Service (DoS) PAL5292352111325
Containment Measures: Urgent patching to remediated versionsHotfix application (e.g., 10.2.13-h3, 11.1.6-h1)
Remediation Measures: Product: PAN-OS 10.2, Action: Upgrade to 10.2.14 or apply hotfix 10.2.13-h3+, Product: PAN-OS 11.1, Action: Upgrade to 11.1.7 or apply hotfix 11.1.6-h1/11.1.4-h13, Product: PAN-OS 11.2, Action: Upgrade to 11.2.5 or apply hotfixes, Product: Prisma Access, Action: Palo Alto Networks completing upgrades (except conflicting maintenance windows),
Communication Strategy: Public advisory with remediation guidanceCustomer notifications for Prisma Access upgrades
Incident : Vulnerability PAL1480714112625
Third Party Assistance: Xbow Researchers (Vulnerability Discovery).
Containment Measures: Disable Clientless VPN functionalityEnable Threat Prevention IDs 510003 and 510004 (Applications and Threats content version 8970)
Remediation Measures: Upgrade to patched PAN-OS versions (expected releases: June–August 2025)User awareness training for suspicious links
Communication Strategy: Public Advisory by Palo Alto Networks
Enhanced Monitoring: Monitor for exploitation attempts via Threat Prevention signatures
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Salesforce, Salesloft, Google’s Threat Intelligence Group, , XBOW Researchers (Vulnerability Discovery), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Supply Chain Attack PAL505090325
Type of Data Compromised: Business contact details, Sales account records, Case metadata, Social security numbers (transunion only)
Number of Records Exposed: Undisclosed (Palo Alto Networks, Zscaler, PagerDuty), 4.4 million (TransUnion)
Sensitivity of Data: Moderate (business contacts)High (SSNs for TransUnion)
Personally Identifiable Information: NamesEmail addressesJob titlesPhone numbersSocial Security numbers (TransUnion only)
Incident : Vulnerability PAL1480714112625
Type of Data Compromised: Session tokens, Credentials
Sensitivity of Data: High (authenticated session data)
Data Exfiltration: Potential (if credentials are stolen)
Personally Identifiable Information: Potential (if credentials include PII)
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Immediate updates to patched software versions, Upgrade to PAN-OS 11.2.6, 11.1.10, 10.2.14, or 10.1.14-h15, Strengthened customer authentication protocols (Zscaler), Reviewing internal safeguards (Palo Alto Networks), Customer notifications, , product: PAN-OS 10.2, action: Upgrade to 10.2.14 or apply hotfix 10.2.13-h3+, product: PAN-OS 11.1, action: Upgrade to 11.1.7 or apply hotfix 11.1.6-h1/11.1.4-h13, product: PAN-OS 11.2, action: Upgrade to 11.2.5 or apply hotfixes, product: Prisma Access, action: Palo Alto Networks completing upgrades (except conflicting maintenance windows), , Upgrade to patched PAN-OS versions (expected releases: June–August 2025), User awareness training for suspicious links, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by disabled vulnerable salesloft-drift integration (palo alto networks), revoked affected oauth tokens, launched third-party risk management investigation (zscaler), , urgent patching to remediated versions, hotfix application (e.g., 10.2.13-h3, 11.1.6-h1), , disable clientless vpn functionality, enable threat prevention ids 510003 and 510004 (applications and threats content version 8970) and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Supply Chain Attack PAL505090325
Data Exfiltration: True
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Supply Chain Attack PAL505090325
Lessons Learned: Third-party SaaS integrations introduce significant supply chain risk, even for cybersecurity firms., OAuth token management requires stricter oversight and monitoring., Rapid revocation of compromised tokens is critical to limiting exposure., Customer communication and transparency are essential to maintaining trust post-breach.
Incident : Denial-of-Service (DoS) PAL5292352111325
Lessons Learned: Criticality of prompt patching for network infrastructure vulnerabilities, Risks of DoS vulnerabilities enabling secondary attacks, Importance of maintenance windows for security updates
Incident : Vulnerability PAL1480714112625
Lessons Learned: Clientless VPN introduces elevated risk for reflected XSS vulnerabilities., Proof-of-concept exploits in the wild necessitate proactive mitigation even before active exploitation is observed., User training remains critical for mitigating social engineering-based attacks.
What recommendations were made to prevent future incidents ?
Incident : Denial of Service (DoS) PAL707041025
Recommendations: Immediate updates to patched software versions
Incident : Command Injection PAL304061225
Recommendations: Implement additional access controls limiting CLI access to essential personnel only.
Incident : Supply Chain Attack PAL505090325
Recommendations: Conduct third-party risk assessments for all SaaS integrations, especially those with OAuth access., Implement least-privilege access controls for third-party apps connected to CRM systems like Salesforce., Monitor for anomalous OAuth token usage or unexpected API calls from integrated apps., Enhance authentication protocols for customer support interactions to prevent social engineering., Educate employees and customers on phishing risks following data breaches involving contact details.Conduct third-party risk assessments for all SaaS integrations, especially those with OAuth access., Implement least-privilege access controls for third-party apps connected to CRM systems like Salesforce., Monitor for anomalous OAuth token usage or unexpected API calls from integrated apps., Enhance authentication protocols for customer support interactions to prevent social engineering., Educate employees and customers on phishing risks following data breaches involving contact details.Conduct third-party risk assessments for all SaaS integrations, especially those with OAuth access., Implement least-privilege access controls for third-party apps connected to CRM systems like Salesforce., Monitor for anomalous OAuth token usage or unexpected API calls from integrated apps., Enhance authentication protocols for customer support interactions to prevent social engineering., Educate employees and customers on phishing risks following data breaches involving contact details.Conduct third-party risk assessments for all SaaS integrations, especially those with OAuth access., Implement least-privilege access controls for third-party apps connected to CRM systems like Salesforce., Monitor for anomalous OAuth token usage or unexpected API calls from integrated apps., Enhance authentication protocols for customer support interactions to prevent social engineering., Educate employees and customers on phishing risks following data breaches involving contact details.Conduct third-party risk assessments for all SaaS integrations, especially those with OAuth access., Implement least-privilege access controls for third-party apps connected to CRM systems like Salesforce., Monitor for anomalous OAuth token usage or unexpected API calls from integrated apps., Enhance authentication protocols for customer support interactions to prevent social engineering., Educate employees and customers on phishing risks following data breaches involving contact details.
Incident : Denial-of-Service (DoS) PAL5292352111325
Recommendations: Immediately upgrade to patched PAN-OS versions (10.2.14, 11.1.7, 11.2.5+) or apply hotfixes, Prioritize remediation during next maintenance window for Prisma Access, Monitor for signs of exploitation (unexpected reboots, maintenance mode), Review decrypt policies and URL proxy configurations for exposure, Assess secondary attack surfaces exposed during firewall downtimeImmediately upgrade to patched PAN-OS versions (10.2.14, 11.1.7, 11.2.5+) or apply hotfixes, Prioritize remediation during next maintenance window for Prisma Access, Monitor for signs of exploitation (unexpected reboots, maintenance mode), Review decrypt policies and URL proxy configurations for exposure, Assess secondary attack surfaces exposed during firewall downtimeImmediately upgrade to patched PAN-OS versions (10.2.14, 11.1.7, 11.2.5+) or apply hotfixes, Prioritize remediation during next maintenance window for Prisma Access, Monitor for signs of exploitation (unexpected reboots, maintenance mode), Review decrypt policies and URL proxy configurations for exposure, Assess secondary attack surfaces exposed during firewall downtimeImmediately upgrade to patched PAN-OS versions (10.2.14, 11.1.7, 11.2.5+) or apply hotfixes, Prioritize remediation during next maintenance window for Prisma Access, Monitor for signs of exploitation (unexpected reboots, maintenance mode), Review decrypt policies and URL proxy configurations for exposure, Assess secondary attack surfaces exposed during firewall downtimeImmediately upgrade to patched PAN-OS versions (10.2.14, 11.1.7, 11.2.5+) or apply hotfixes, Prioritize remediation during next maintenance window for Prisma Access, Monitor for signs of exploitation (unexpected reboots, maintenance mode), Review decrypt policies and URL proxy configurations for exposure, Assess secondary attack surfaces exposed during firewall downtime
Incident : Vulnerability PAL1480714112625
Recommendations: Prioritize patching PAN-OS versions based on Clientless VPN usage., Disable Clientless VPN if not essential to operations., Deploy Threat Prevention signatures (IDs 510003, 510004) for affected systems., Conduct phishing simulation exercises to raise user awareness., Monitor for unusual activity in GlobalProtect portals/gateways.Prioritize patching PAN-OS versions based on Clientless VPN usage., Disable Clientless VPN if not essential to operations., Deploy Threat Prevention signatures (IDs 510003, 510004) for affected systems., Conduct phishing simulation exercises to raise user awareness., Monitor for unusual activity in GlobalProtect portals/gateways.Prioritize patching PAN-OS versions based on Clientless VPN usage., Disable Clientless VPN if not essential to operations., Deploy Threat Prevention signatures (IDs 510003, 510004) for affected systems., Conduct phishing simulation exercises to raise user awareness., Monitor for unusual activity in GlobalProtect portals/gateways.Prioritize patching PAN-OS versions based on Clientless VPN usage., Disable Clientless VPN if not essential to operations., Deploy Threat Prevention signatures (IDs 510003, 510004) for affected systems., Conduct phishing simulation exercises to raise user awareness., Monitor for unusual activity in GlobalProtect portals/gateways.Prioritize patching PAN-OS versions based on Clientless VPN usage., Disable Clientless VPN if not essential to operations., Deploy Threat Prevention signatures (IDs 510003, 510004) for affected systems., Conduct phishing simulation exercises to raise user awareness., Monitor for unusual activity in GlobalProtect portals/gateways.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Third-party SaaS integrations introduce significant supply chain risk, even for cybersecurity firms.,OAuth token management requires stricter oversight and monitoring.,Rapid revocation of compromised tokens is critical to limiting exposure.,Customer communication and transparency are essential to maintaining trust post-breach.Criticality of prompt patching for network infrastructure vulnerabilities,Risks of DoS vulnerabilities enabling secondary attacks,Importance of maintenance windows for security updatesClientless VPN introduces elevated risk for reflected XSS vulnerabilities.,Proof-of-concept exploits in the wild necessitate proactive mitigation even before active exploitation is observed.,User training remains critical for mitigating social engineering-based attacks.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Implement additional access controls limiting CLI access to essential personnel only. and Immediate updates to patched software versions.
References
Where can I find more information about each incident ?
Incident : Supply Chain Attack PAL505090325
Source: Palo Alto Networks Customer Notification (via LinkedIn)
Date Accessed: 2025-08-23
Incident : Supply Chain Attack PAL505090325
Source: Google’s Threat Intelligence Group Investigation
Incident : Denial-of-Service (DoS) PAL5292352111325
Source: Palo Alto Networks Security Advisory
Incident : Vulnerability PAL1480714112625
Source: Palo Alto Networks Security Advisory
Incident : Vulnerability PAL1480714112625
Source: XBOW Research
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: PagerDuty Public ReportDate Accessed: 2025-08-23, and Source: Zscaler Official BlogDate Accessed: 2025-08-23, and Source: Palo Alto Networks Customer Notification (via LinkedIn)Date Accessed: 2025-08-23, and Source: Google’s Threat Intelligence Group Investigation, and Source: Palo Alto Networks Security Advisory, and Source: Palo Alto Networks Security Advisory, and Source: XBOW Research.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Supply Chain Attack PAL505090325
Investigation Status: Ongoing (Google’s Threat Intelligence Group and affected companies)
Incident : Denial-of-Service (DoS) PAL5292352111325
Investigation Status: Ongoing (no active exploitation detected; patches released)
Incident : Vulnerability PAL1480714112625
Investigation Status: Ongoing (no confirmed malicious exploitation reported as of disclosure)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Disclosures (Pagerduty, Zscaler, Palo Alto Networks), Customer Advisories (E.G., Palo Alto Networks Via Linkedin), Recommendations For Heightened Phishing Vigilance, Public Advisory With Remediation Guidance, Customer Notifications For Prisma Access Upgrades and Public Advisory By Palo Alto Networks.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Supply Chain Attack PAL505090325
Stakeholder Advisories: Customers Advised To Monitor For Phishing Attempts (Zscaler, Pagerduty)., Palo Alto Networks Notified Impacted Customers Directly., Transunion Disclosed Breach To Affected 4.4 Million Us Consumers..
Customer Advisories: PagerDuty: 'We will never contact anyone by phone to request a password or any other secure details.'Zscaler: 'No evidence of misuse found, but customers should maintain heightened vigilance for phishing.'Palo Alto Networks: Reviewing internal safeguards to prevent future incidents.
Incident : Denial-of-Service (DoS) PAL5292352111325
Stakeholder Advisories: Public Security Advisory Issued By Palo Alto Networks.
Customer Advisories: Direct notifications to Prisma Access customers for patch scheduling
Incident : Vulnerability PAL1480714112625
Stakeholder Advisories: Palo Alto Networks Customers Using Affected Pan-Os Versions.
Customer Advisories: Apply mitigations immediately if Clientless VPN is enabled.Await official patches for long-term remediation.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Customers Advised To Monitor For Phishing Attempts (Zscaler, Pagerduty)., Palo Alto Networks Notified Impacted Customers Directly., Transunion Disclosed Breach To Affected 4.4 Million Us Consumers., Pagerduty: 'We Will Never Contact Anyone By Phone To Request A Password Or Any Other Secure Details.', Zscaler: 'No Evidence Of Misuse Found, But Customers Should Maintain Heightened Vigilance For Phishing.', Palo Alto Networks: Reviewing Internal Safeguards To Prevent Future Incidents., , Public Security Advisory Issued By Palo Alto Networks, Direct Notifications To Prisma Access Customers For Patch Scheduling, , Palo Alto Networks Customers Using Affected Pan-Os Versions, Apply Mitigations Immediately If Clientless Vpn Is Enabled., Await Official Patches For Long-Term Remediation. and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Command Injection PAL304061225
Entry Point: CLI access
Incident : Supply Chain Attack PAL505090325
Entry Point: Salesloft Drift (third-party SaaS application)
High Value Targets: Salesforce Instances Of Cybersecurity/Tech Firms,
Data Sold on Dark Web: Salesforce Instances Of Cybersecurity/Tech Firms,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Command Injection PAL304061225
Root Causes: Insufficient input validation within the PAN-OS CLI interface
Corrective Actions: Patching and restricting administrative access
Incident : Supply Chain Attack PAL505090325
Root Causes: Inadequate Security Controls For Oauth Tokens In Salesloft Drift., Over-Permissive Third-Party App Integrations With Salesforce., Lack Of Real-Time Monitoring For Anomalous Token Usage.,
Corrective Actions: Disabled Vulnerable Integrations (Palo Alto Networks)., Revoked Compromised Oauth Tokens., Enhanced Authentication Protocols (Zscaler)., Third-Party Risk Management Investigations Launched.,
Incident : Denial-of-Service (DoS) PAL5292352111325
Root Causes: Improper Checks For Unusual Conditions (Cwe-754), Pointer Manipulation Vulnerability (Capec-129), Lack Of Input Validation In Data Plane Packet Handling,
Corrective Actions: Code Fixes In Patched Pan-Os Versions To Validate Data Plane Inputs, Enhanced Testing For Dos Resilience In Firewall Software, Proactive Hotfix Distribution For Critical Vulnerabilities,
Incident : Vulnerability PAL1480714112625
Root Causes: Improper Input Neutralization In Globalprotect Captive Portal Web Page Generation., Lack Of Default Protections Against Reflected Xss In Clientless Vpn Configurations.,
Corrective Actions: Code-Level Fixes In Upcoming Pan-Os Patches., Enhanced Threat Prevention Signatures For Xss Detection.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Salesforce, Salesloft, Google’S Threat Intelligence Group, , Heightened Vigilance For Phishing (Recommended To Customers), , Xbow Researchers (Vulnerability Discovery), , Monitor For Exploitation Attempts Via Threat Prevention Signatures, .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Patching and restricting administrative access, Disabled Vulnerable Integrations (Palo Alto Networks)., Revoked Compromised Oauth Tokens., Enhanced Authentication Protocols (Zscaler)., Third-Party Risk Management Investigations Launched., , Code Fixes In Patched Pan-Os Versions To Validate Data Plane Inputs, Enhanced Testing For Dos Resilience In Firewall Software, Proactive Hotfix Distribution For Critical Vulnerabilities, , Code-Level Fixes In Upcoming Pan-Os Patches., Enhanced Threat Prevention Signatures For Xss Detection., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an Unauthenticated Attackers and UNC6395.
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2025-08-20.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-08-23.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Business contact details (names, email addresses, job titles, phone numbers), Sales account records, Case metadata, , User Session Cookies, Credentials and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident were Salesforce instances (via third-party integration)Salesloft Drift app and T, y, p, e, :, , P, A, -, S, e, r, i, e, s, , F, i, r, e, w, a, l, l, s, ,, V, e, r, s, i, o, n, s, :, , 1, 0, ., 2, , (, a, l, l, , ≤, , 1, 0, ., 2, ., 1, 3, ), ,, , 1, 1, ., 1, , (, a, l, l, , ≤, , 1, 1, ., 1, ., 6, ), ,, , 1, 1, ., 2, , (, <, , 1, 1, ., 2, ., 5, ), ,, T, y, p, e, :, , V, M, -, S, e, r, i, e, s, , F, i, r, e, w, a, l, l, s, ,, V, e, r, s, i, o, n, s, :, , 1, 0, ., 2, , (, a, l, l, , ≤, , 1, 0, ., 2, ., 1, 3, ), ,, , 1, 1, ., 1, , (, a, l, l, , ≤, , 1, 1, ., 1, ., 6, ), ,, , 1, 1, ., 2, , (, <, , 1, 1, ., 2, ., 5, ), ,, T, y, p, e, :, , P, r, i, s, m, a, , A, c, c, e, s, s, ,, V, e, r, s, i, o, n, s, :, , U, n, d, e, r, l, y, i, n, g, , P, A, N, -, O, S, , v, e, r, s, i, o, n, s, , (, s, e, e, , a, b, o, v, e, ), ,, and GlobalProtect GatewayGlobalProtect PortalClientless VPN.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was salesforce, salesloft, google’s threat intelligence group, , xbow researchers (vulnerability discovery), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Disabled vulnerable Salesloft-Drift integration (Palo Alto Networks)Revoked affected OAuth tokensLaunched third-party risk management investigation (Zscaler), Urgent patching to remediated versionsHotfix application (e.g., 10.2.13-h3, 11.1.6-h1) and Disable Clientless VPN functionalityEnable Threat Prevention IDs 510003 and 510004 (Applications and Threats content version 8970).
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Sales account records, Case metadata, Credentials, Business contact details (names, email addresses, job titles, phone numbers) and User Session Cookies.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 4.4M.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was User training remains critical for mitigating social engineering-based attacks.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Implement least-privilege access controls for third-party apps connected to CRM systems like Salesforce., Monitor for unusual activity in GlobalProtect portals/gateways., Educate employees and customers on phishing risks following data breaches involving contact details., Implement additional access controls limiting CLI access to essential personnel only., Review decrypt policies and URL proxy configurations for exposure, Assess secondary attack surfaces exposed during firewall downtime, Prioritize remediation during next maintenance window for Prisma Access, Disable Clientless VPN if not essential to operations., Deploy Threat Prevention signatures (IDs 510003, 510004) for affected systems., Immediate updates to patched software versions, Monitor for signs of exploitation (unexpected reboots, maintenance mode), Conduct phishing simulation exercises to raise user awareness., Conduct third-party risk assessments for all SaaS integrations, especially those with OAuth access., Enhance authentication protocols for customer support interactions to prevent social engineering., Prioritize patching PAN-OS versions based on Clientless VPN usage., Monitor for anomalous OAuth token usage or unexpected API calls from integrated apps., Immediately upgrade to patched PAN-OS versions (10.2.14, 11.1.7 and 11.2.5+) or apply hotfixes.
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are PagerDuty Public Report, Google’s Threat Intelligence Group Investigation, Palo Alto Networks Customer Notification (via LinkedIn), XBOW Research, Palo Alto Networks Security Advisory and Zscaler Official Blog.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (Google’s Threat Intelligence Group and affected companies).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Customers advised to monitor for phishing attempts (Zscaler, PagerDuty)., Palo Alto Networks notified impacted customers directly., TransUnion disclosed breach to affected 4.4 million US consumers., Public security advisory issued by Palo Alto Networks, Palo Alto Networks customers using affected PAN-OS versions, .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an PagerDuty: 'We will never contact anyone by phone to request a password or any other secure details.'Zscaler: 'No evidence of misuse found, but customers should maintain heightened vigilance for phishing.'Palo Alto Networks: Reviewing internal safeguards to prevent future incidents., Direct notifications to Prisma Access customers for patch scheduling and Apply mitigations immediately if Clientless VPN is enabled.Await official patches for long-term remediation.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Salesloft Drift (third-party SaaS application) and CLI access.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Insufficient input validation within the PAN-OS CLI interface, Inadequate security controls for OAuth tokens in Salesloft Drift.Over-permissive third-party app integrations with Salesforce.Lack of real-time monitoring for anomalous token usage., Improper checks for unusual conditions (CWE-754)Pointer manipulation vulnerability (CAPEC-129)Lack of input validation in data plane packet handling, Improper input neutralization in GlobalProtect Captive Portal web page generation.Lack of default protections against reflected XSS in Clientless VPN configurations..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Patching and restricting administrative access, Disabled vulnerable integrations (Palo Alto Networks).Revoked compromised OAuth tokens.Enhanced authentication protocols (Zscaler).Third-party risk management investigations launched., Code fixes in patched PAN-OS versions to validate data plane inputsEnhanced testing for DoS resilience in firewall softwareProactive hotfix distribution for critical vulnerabilities, Code-level fixes in upcoming PAN-OS patches.Enhanced Threat Prevention signatures for XSS detection..
.png)
Latest Global CVEs (Not Company-Specific)
Description
ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting (XSS) vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if the malicious images are embedded in an `iframe` element, during a widget creation, deployed to any page of the platform (e.g., dashboards), and accessed during normal operations. The vulnerability resides in the `ImageController`, which fails to restrict the execution of JavaScript code when an image is loaded by the user's browser. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.
Risk Information
cvss4
Base: 6.2
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).
Risk Information
cvss3
Base: 9.9
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References
Description
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint
Risk Information
cvss3
Base: 4.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References
Description
Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server: before 2025.2.21, before 2025.3.9.
Description
Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8.
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=prisma-sase-by-palo-alto-networks' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
