Plattform
paloalto
Komponente
terminal-server-agent
Behoben in
11.2.8
11.1.11
10.2.17
10.2.10-h28
CVE-2026-0228 represents a Remote Code Execution (RCE) vulnerability found in the serialize-javascript npm package, specifically affecting versions up to 7.0.2. This vulnerability arises from an incomplete fix addressing CVE-2020-7660, allowing attackers to inject malicious JavaScript code. Successful exploitation can lead to complete system compromise. The vulnerability is resolved in version 7.0.3.
The core of this vulnerability lies in the improper handling of RegExp.flags during the serialization process. While the RegExp.source property is sanitized, the RegExp.flags property is directly interpolated into the generated output without proper escaping. If an attacker can control the input object passed to the serialize() function, they can inject arbitrary JavaScript code through the flags property of a RegExp object. This injected code will then be executed when the serialized string is evaluated, typically via eval, new Function, or <script> tags. This allows for complete control over the execution environment, enabling attackers to execute arbitrary commands, steal sensitive data, or establish persistent backdoors. The potential impact is significant, as it allows for remote code execution on systems running vulnerable Node.js applications.
This vulnerability is actively being tracked and has gained attention due to its potential for widespread impact. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of exploitation. The vulnerability was published on 2026-02-28. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the potential impact suggest a high probability of exploitation. Check the NVD and CISA advisories for updates.
Organizations heavily reliant on Terminal Server Agents for remote access and management are at increased risk. Environments with legacy Windows systems or those that have not enforced strict certificate management practices are particularly vulnerable. Shared hosting environments where multiple users share the same Terminal Server Agent infrastructure could also be affected.
• paloalto / windows: Use Windows Event Viewer to monitor for successful connections from Terminal Server Agents with certificates nearing or past their expiration date. Filter for events related to certificate validation failures followed by successful connections.
Get-WinEvent -LogName Security -FilterXPath '//Event[System[EventID=5141]]'• paloalto / linux: Examine Palo Alto Networks firewall logs for connections from Terminal Server Agents using certificates with expiration dates outside of the acceptable range. Use journalctl to filter for relevant log entries.
journalctl -u panfsd | grep "certificate expired"• paloalto / generic web: Check Palo Alto Networks firewall configuration for certificate validation policies. Ensure that policies are configured to reject expired certificates and that alerts are generated for any attempts to bypass these policies.
disclosure
Exploit-Status
EPSS
0.01% (1% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-0228 is to upgrade the serialize-javascript package to version 7.0.3 or later. This version includes the necessary fixes to properly sanitize the RegExp.flags property. If upgrading is not immediately feasible, consider implementing input validation to prevent the injection of malicious RegExp objects. While not a complete solution, a Web Application Firewall (WAF) configured to detect and block suspicious JavaScript code execution patterns could provide an additional layer of defense. Monitor Node.js application logs for unusual activity or errors related to the serialization process. After upgrading, confirm the fix by attempting to serialize a RegExp object with a malicious flags property and verifying that the generated output is properly escaped.
Actualice PAN-OS a la versión 11.2.8 o superior, o a las versiones 10.2.17, 10.2.10-h28 o 11.1.11 para corregir la validación incorrecta de certificados. Esto evitará que los agentes de Terminal Server se conecten usando certificados expirados. Consulte el advisory de Palo Alto Networks para obtener más detalles sobre la actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-0228 is a vulnerability in Palo Alto Networks PAN-OS that allows connections from Windows Terminal Server Agents using expired certificates, bypassing normal security controls.
If you are running PAN-OS versions prior to 11.2.8 and utilize Terminal Server Agents, you are potentially affected by this vulnerability.
Upgrade your Palo Alto Networks PAN-OS to version 11.2.8 or later to resolve this vulnerability. Review release notes before upgrading.
As of the public disclosure date, there are no confirmed reports of active exploitation, but the potential for exploitation exists.
Refer to the Palo Alto Networks Security Advisories page for the official advisory regarding CVE-2026-0228.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.