Skip to content

Feature/panos CVE 2026 0265 scanner#21610

Open
percx wants to merge 2 commits into
rapid7:masterfrom
percx:feature/panos-cve-2026-0265-scanner
Open

Feature/panos CVE 2026 0265 scanner#21610
percx wants to merge 2 commits into
rapid7:masterfrom
percx:feature/panos-cve-2026-0265-scanner

Conversation

@percx

@percx percx commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Description

This PR adds a new Metasploit auxiliary scanner module for safely detecting
CVE-2026-0265 affecting PAN-OS GlobalProtect portals when Clientless
Application Services (CAS) authentication is enabled.

The module performs a single anonymous request to the GlobalProtect
prelogin endpoint and determines whether a target is affected without
attempting exploitation, authentication bypass, session creation, or
modification of the target.

Detection is based on the public Palo Alto Networks security advisory and
the Bishop Fox CVE-2026-0265 detection utility. The module:

  • Detects whether the target is a GlobalProtect portal
  • Determines whether CAS authentication is enabled
  • Extracts the embedded PAN-OS version from the prelogin response
  • Compares the version against the advisory-defined patch and hotfix matrix
  • Reports vulnerable systems to the Metasploit database using report_vuln

This module is intended as a safe vulnerability detection utility and does
not exploit the vulnerability.

Related Issue:

None

Breaking Changes

None

Reviewer Notes

The module was tested against real PAN-OS systems representing vulnerable,
patched, and non-applicable configurations.

The implementation follows the public vendor advisory decision logic and
the Bishop Fox reference implementation while adapting it to Metasploit's
Auxiliary::Scanner framework.

Verification Steps

  1. Load the module:

    use auxiliary/scanner/http/panos_cve_2026_0265
    
  2. Configure the target:

    set RHOSTS <target>
    
  3. Execute:

    run
    
  4. Verify expected results:

    • Vulnerable systems report:

      Status: VULNERABLE
      
    • Patched systems report:

      Status: NOT VULNERABLE (PATCHED)
      
    • Systems with CAS disabled report:

      Status: NOT VULNERABLE (NOT-AFFECTED-NO-CAS)
      
    • Vulnerable targets are recorded in the Metasploit database.

Test Evidence

Successfully tested against:

  • PAN-OS GlobalProtect with CAS enabled and vulnerable version
  • PAN-OS GlobalProtect with CAS enabled and patched version
  • PAN-OS GlobalProtect with CAS disabled
  • Non-GlobalProtect / non-PAN-OS HTTPS target

Validation completed:

  • Module loads successfully in msfconsole
  • Ruby syntax (ruby -c)
  • msftidy
  • RuboCop
  • Vulnerability reporting (report_vuln)
  • Manual verification of expected output

Environment

Field Details
Operating System Ubuntu 25.10 (ARM64)
Target Software/Hardware PAN-OS GlobalProtect Portal (multiple versions including vulnerable, patched, and CAS-disabled systems)

AI Usage Disclosure

OpenAI ChatGPT was used as a development assistant to discuss implementation approaches, review Ruby code, improve documentation, and refine module formatting. The module logic, testing, validation, and final code review were performed by the submitter.

Pre-Submission Checklist

  • [x Included a corresponding documentation markdown file in documentation/modules (new modules only)
  • No sensitive information (IP addresses, credentials, API keys, hashes) in code or documentation
  • Tested on the target environment specified in the Environment section above
  • Included RSpec tests for library changes (not applicable)
  • Read the CONTRIBUTING.md and module acceptance guidelines

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Todo

Development

Successfully merging this pull request may close these issues.

2 participants