Palo Alto Networks and SonicWall Release Patches for High-Severity Firewall and VPN Vulnerabilities

Introduction

Palo Alto Networks and SonicWall have both published advisories this week for multiple vulnerabilities affecting their firewall, endpoint, and VPN products. The most critical flaws include a cryptographic signature bypass in Palo Alto's Cortex platform and a SQL injection bug in SonicWall's SMA1000 series that can escalate a read-only admin to full administrative control.

What Happened

Palo Alto Networks patched three vulnerabilities across its product line. The most severe is CVE-2026-0234, an improper verification of cryptographic signatures in the Microsoft Teams integration for Cortex XSOAR and Cortex XSIAM. Exploitation allows an attacker to access and tamper with protected resources within the SOAR/SIAM platforms. Two additional medium-severity flaws were fixed in the Autonomous Digital Experience Manager (ADEM) for Windows and the Cortex XDR agent for Windows — one enabling arbitrary code execution, the other allowing an attacker to disable the XDR agent entirely. Palo Alto also rolled in nearly three dozen Chromium security fixes affecting products with embedded browsers.

Separately, SonicWall patched four vulnerabilities in its SMA1000 series appliances. The headline issue is CVE-2026-4112, a high-severity SQL injection flaw that lets an attacker with read-only admin access escalate to primary administrator privileges. The remaining three bugs enable remote enumeration of SSL VPN user credentials and bypassing of TOTP-based two-factor authentication.

Neither vendor has observed exploitation in the wild so far, but both are urging immediate updates.

Why It Matters

Firewalls, VPN concentrators, and SOAR platforms sit at the absolute perimeter of enterprise networks. A compromised firewall or VPN appliance gives attackers a foothold that is extremely difficult to detect — traffic through these devices is inherently trusted. The SonicWall SQL injection flaw is especially concerning: organizations that follow the principle of least privilege by giving junior admins read-only access now face the risk that those accounts can be escalated to full control. The Palo Alto XDR agent disable bug is similarly dangerous — if an attacker can kill the endpoint agent, the machine goes dark to the SOC.

Who Is Affected

  • Organizations running Palo Alto Cortex XSOAR or XSIAM with the Microsoft Teams integration
  • Endpoints with the Cortex XDR agent or ADEM installed on Windows
  • Any Palo Alto product using an embedded Chromium browser
  • Organizations using SonicWall SMA1000 series appliances for remote access or SSL VPN
  • Security teams relying on TOTP as their sole second factor for VPN authentication

How to Protect Yourself

1. Patch Palo Alto products

Check your current Cortex XSOAR/XSIAM versions and apply the latest updates from the Palo Alto security advisories:

https://security.paloaltonetworks.com/

For the Cortex XDR agent on Windows, update through your Cortex XDR management console or deploy the latest agent package.

2. Patch SonicWall SMA1000 appliances immediately

Log into your SonicWall management interface and apply the firmware update referenced in advisory SNWLID-2026-0003:

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0003

3. Audit admin accounts on SonicWall appliances

Review all accounts with any level of admin access. Remove stale or unnecessary accounts:

# List active sessions and admin accounts from the SMA management CLI
show status
show users

4. Don't rely on TOTP alone for VPN access

Given the TOTP bypass flaw, consider layering additional controls:

  • Require certificate-based authentication alongside TOTP
  • Restrict VPN access to managed devices via device posture checks
  • Monitor for authentication anomalies (multiple failed TOTP attempts, logins from unusual geolocations)

5. Verify the Cortex XDR agent is running and healthy

After patching, confirm the agent hasn't been tampered with:

# PowerShell: check Cortex XDR service status
Get-Service -Name "CortexXDR" | Select-Object Status, StartType

# Ensure the service is Running and set to Automatic

6. Subscribe to vendor security advisories

Bookmark both advisory pages and enable email notifications so you hear about future patches the day they drop, not weeks later.

Source

Palo Alto Networks, SonicWall Patch High-Severity Vulnerabilities — SecurityWeek