vulnerability
Palo Alto Networks PAN-OS: CVE-2023-38802: PAN-OS: Denial-of-Service (DoS) Vulnerability in BGP Software
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:N/I:N/A:C) | Sep 13, 2023 | Jan 7, 2025 | Mar 25, 2026 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Published
Sep 13, 2023
Added
Jan 7, 2025
Modified
Mar 25, 2026
Description
BGP software such as FRRouting FRR included as part of the PAN-OS, Prisma SD-WAN ION, and Prisma Access routing features enable a remote attacker to incorrectly reset network sessions though an invalid BGP update. This issue is applicable only to devices and appliances with BGP routing features enabled.
This issue requires the remote attacker to control at least one established BGP session that is propagated to the router to exploit it. The denial-of-service (DoS) impact on the network is dependent on the network's architecture and fault tolerant design.
Prisma Access ‘Security Processing Node Endpoint Remote Network (SP-RN/Branches)' and 'Service Connections (SCs/CANs)' nodes do not peer with the Internet and do not receive Internet routes directly unless explicitly configured by the customer. Prisma Access Nodes are commonly protected by unaffected customer-premise equipment (CPE router devices). Hence the impact of this issue on Prisma Access is limited.
Further details about this issue can be found at: https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
This issue requires the remote attacker to control at least one established BGP session that is propagated to the router to exploit it. The denial-of-service (DoS) impact on the network is dependent on the network's architecture and fault tolerant design.
Prisma Access ‘Security Processing Node Endpoint Remote Network (SP-RN/Branches)' and 'Service Connections (SCs/CANs)' nodes do not peer with the Internet and do not receive Internet routes directly unless explicitly configured by the customer. Prisma Access Nodes are commonly protected by unaffected customer-premise equipment (CPE router devices). Hence the impact of this issue on Prisma Access is limited.
Further details about this issue can be found at: https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
Solution
palo-alto-networks-pan-os-upgrade-latest
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.