CVE-2026-0259

Summary

An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire® WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode.

The WildFire Appliance (WF-500, WF-500-B) software update is now available to customers that use the WildFire Appliance (WF-500, WF-500-B) for on-premise sandboxing.

Please note that customers using the WildFire Public cloud service are NOT impacted by this vulnerability.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksWildFire WF-500 and WF-500-B12.1.0 < 12.1.7, 12.1.4-h5affected
Palo Alto NetworksWildFire WF-500 and WF-500-B11.2.0 < 11.2.11,11.2.7-h7affected
Palo Alto NetworksWildFire WF-500 and WF-500-B11.1.0 < 11.1.13,11.1.10-h8affected
Palo Alto NetworksWildFire WF-500 and WF-500-B10.2.0 < 10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, 10.2.7-h34affected

Weaknesses

  • CWE-73: CWE-73 External Control of File Name or Path

Workarounds

For airgapped deployments, we strongly recommend that you secure WildFire 500 appliances by restricting access to only trusted internal IP addresses.

Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510010 (Applications and Threats content version 9100-10044 and later).

Please note that this Threat ID requires SSL Decryption.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References