Low

Expired certificate acceptance in PAN-OS Terminal Server Agent connection validation

IdentifiersCVE-2026-0228CWE-295· Improper Certificate Validation

An improper certificate validation issue in Palo Alto Networks PAN-OS allows Windows Terminal Server Agents to connect to PAN-OS using expired certificates, even when the PAN-OS configuration would normally reject such connections. This represents a failure to correctly enforce certificate validity period checks during agent authentication/connection establishment, enabling acceptance of certificates that should be considered invalid due to expiration.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Acceptance of expired certificates weakens certificate-based trust and can allow unauthorized or policy-bypassing Terminal Server Agent connections to PAN-OS. This may undermine administrative intent and security controls that rely on strict certificate validity enforcement for agent connectivity.

Mitigation

If you can’t patch tonight, do this now.

Information currently not available in the provided content beyond applying vendor updates and any mitigations referenced in the Palo Alto Networks advisories.

Remediation

Patch, then assume compromise.

Upgrade to a PAN-OS fixed release as indicated by Palo Alto Networks for the affected trains (per the referenced advisories: PAN-OS 12.1 prior to 12.1.4; PAN-OS 11.2 prior to 11.2.8/11.2.10; PAN-OS 11.1 prior to 11.1.11; PAN-OS 10.2 prior to 10.2.17). For Prisma Access on PAN-OS, upgrade to fixed versions referenced (prior to 11.2.7-h10 and 10.2.10-h28 are affected).

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Palo Alto NetworksPan-Osoperating_system

Palo Alto NetworksPrisma Accessoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

ca ccsNews

Feb 11, 2026

Palo Alto Networks security advisory (AV26-118) - Canadian Centre for Cyber Security

An improper validation vulnerability in PAN-OS related to Terminal Server Agent certificate validation.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4