## https://sploitus.com/exploit?id=8681B30D-BF40-5DC7-9F64-48FDC9988ADB
CVE-2026-0265 Risk Checker for Palo Alto PAN-OS
A Python script that connects to a list of Palo Alto Networks firewalls and Panorama appliances over SSH and reports each device's exposure to CVE-2026-0265 β an authentication bypass vulnerability in PAN-OS affecting devices with the Cloud Authentication Service (CAS) enabled.
Rather than relying solely on a version match (which over-reports), the script also checks whether CAS is actually configured on each device and distinguishes between vulnerable, affected-but-not-exploitable, and safe.
---
Why this script exists
The official advisory lists every PAN-OS version below a fixed hotfix as "affected." In practice, the bug only matters if you've configured a CAS-based authentication profile. A naΓ―ve version scan flags every device on an older hotfix as vulnerable, leaving you no way to prioritize patching across a large fleet.
This script gives you the full picture in one pass:
AFFECTED BY CVE β purely a version-range check against the advisory.
CAS β does the device actually have a CAS authentication profile defined?
STATUS β combined verdict:
`VULNERABLE` β affected version and CAS configured (true exposure)
`NOT_EXPLOITABLE` β affected version, but no CAS profile is defined; the vulnerable code path is not reachable
`SAFE` β running a fixed or unaffected version
---
Features
Connects to every device in parallel (configurable worker count; default 8).
Single SSH session per device, runs only two read-only `show` commands β no configuration changes.
Handles HA-state prompts (e.g. `user@host(active)>`) and disables the PAN-OS pager so output isn't truncated.
Color-coded summary table (red / yellow / green) with separate `AFFECTED BY CVE`, `CAS`, and `STATUS` columns.
Works against both firewalls and Panorama (same CLI on both).
Cross-platform: Windows / macOS / Linux. ANSI colors auto-enabled on Windows 10+.
Graceful SSH exit β sends `exit` before closing so PAN-OS audit logs see a clean logout rather than a transport drop.
---
Requirements
Python 3.8 or newer
`paramiko` (`pip install paramiko`)
A read-only admin account that exists on every device in your list (TACACS+, RADIUS, SAML, or local β anything works as long as the same credentials authenticate everywhere).
SSH (TCP/22) reachability from wherever you run the script to each device's management interface.
---
Installation
```bash
git clone https://github.com/YOUR_USERNAME/palo-alto-cve-2026-0265-checker.git
cd palo-alto-cve-2026-0265-checker
pip install paramiko
```
---
Usage
Open `check_cve_2026_0265.py` and edit the `DEVICES` list near the top with your own hostnames and management IPs:
```python
DEVICES = [
("fw1-prod-region1", "192.0.2.10"),
("fw2-prod-region1", "192.0.2.11"),
("panorama1", "198.51.100.10"),
# ...
]
```
Optionally change `DEFAULT_USER` to your standard read-only admin account name.
Run the script:
```bash
python check_cve_2026_0265.py
```
Enter your SSH username and password when prompted. The same credentials are reused for every device.
---
Sample output
```
================================================================================
CVE-2026-0265 Risk Checker - Multi-device PAN-OS sweep
================================================================================
Devices in list: 6
Parallel workers: 8
SSH username for all devices [admin]:
Password for admin:
Checking devices (results appear as each finishes) ...
------------------------------------------------------------------------------
[ 1/ 6] fw1-prod-region1 192.0.2.10 NOT_EXPLOITABLE 11.1.4-h7 CAS:no
[ 2/ 6] fw2-prod-region1 192.0.2.11 NOT_EXPLOITABLE 11.1.4-h7 CAS:no
[ 3/ 6] fw1-prod-region2 192.0.2.20 SAFE 11.0.3-h10 CAS:no
[ 4/ 6] fw2-prod-region2 192.0.2.21 SAFE 11.0.3-h10 CAS:no
[ 5/ 6] panorama1-region1 198.51.100.10 NOT_EXPLOITABLE 11.2.7-h4 CAS:no
[ 6/ 6] panorama2-region2 198.51.100.20 NOT_EXPLOITABLE 11.2.7-h4 CAS:no
------------------------------------------------------------------------------
Completed in 18.4 seconds
================================================================================
CVE-2026-0265 Assessment Summary
================================================================================
-----------------------------------------------------------------------------------------------------
HOSTNAME MGMT IP VERSION AFFECTED BY CVE CAS STATUS FIX VERSION
-----------------------------------------------------------------------------------------------------
fw1-prod-region1 192.0.2.10 11.1.4-h7 yes no NOT_EXPLOITABLE 11.1.4-h33
fw2-prod-region1 192.0.2.11 11.1.4-h7 yes no NOT_EXPLOITABLE 11.1.4-h33
panorama1-region1 198.51.100.10 11.2.7-h4 yes no NOT_EXPLOITABLE 11.2.7-h13
panorama2-region2 198.51.100.20 11.2.7-h4 yes no NOT_EXPLOITABLE 11.2.7-h13
fw1-prod-region2 192.0.2.20 11.0.3-h10 no no SAFE -
fw2-prod-region2 192.0.2.21 11.0.3-h10 no no SAFE -
-----------------------------------------------------------------------------------------------------
Total: 6 | Vulnerable: 0 | Not exploitable: 4 | Safe: 2 | Errors: 0
-----------------------------------------------------------------------------------------------------
```
In a real terminal the `STATUS` column is color-coded:
Status Color Meaning
`VULNERABLE` bold red Affected version and CAS is configured β patch immediately
`NOT_EXPLOITABLE` yellow Affected version, but CAS is not configured β patch on next maintenance window
`SAFE` green Version is at or beyond the fixed hotfix for this CVE
Error states (`AUTH_FAIL`, `UNREACHABLE`, `PARSE_ERR`) are listed in the error-detail block below the table.
---
How it works
For each device, the script runs an interactive SSH session and issues two commands:
```text
show system info | match sw-
show config running | match cloud-authentication-service
```
The first returns a line like `sw-version: 11.1.4-h7`. The second is empty if no CAS-based authentication profile is configured on the device. The script combines these two answers against the affected-version table from the published advisory.
> **A note on CAS detection:** when a `match` filter has no hits, the device returns nothing other than the echoed command and the next prompt. The script accounts for the echoed command itself containing the keyword and only flags CAS as "configured" when the keyword appears more than once in the output.
---
Caveats
This script only validates the CVE-2026-0265 attack path (CAS-based authentication). A device returning `NOT_EXPLOITABLE` is not exploitable through this CVE in its current configuration, but it's still running affected code and should be patched on a normal maintenance cadence.
The CAS check looks for any `cloud-authentication-service` reference in the running config. It does not verify whether that profile is bound to a login interface (mgmt UI, Authentication Portal, GlobalProtect portal/gateway). A configured-but-unbound CAS profile is technically not exploitable either, but the script conservatively reports it as `VULNERABLE`.
HA pairs share configuration when sync is healthy, but the script checks each peer independently so you can confirm both sides actually agree.
This script does not log into the device using SSH keys or certificate-based auth β only password authentication is implemented. PRs welcome.
---
References
Palo Alto Networks Security Advisory: CVE-2026-0265
Palo Alto Networks: Best practices for securing administrative access
Cloud Identity Engine / Cloud Authentication Service overview
---
License
MIT β see LICENSE.
---
Disclaimer
This script is provided as-is for defensive security and operational use. It is not affiliated with or endorsed by Palo Alto Networks. Always confirm CVE applicability against the official vendor advisory before making patching decisions.