Outage in Palo Alto Networks
Content 9104 Pulled Out
Resolved MinorIncident Report
Issue Description
On May 21, 2026, customers reported their traffic being blocked due to TID 97011: “D-Link Router DHCP Hostname Command Injection Vulnerability”, the TID was designed to block OS Command Injection attempts within the hostname fields of DHCP requests. However, the signature included a broad command-matching filter that led to false positives across customer environments, as it incorrectly triggered on legitimate hostnames containing overlapping character strings.
Findings and Technical Analysis
The D-Link Router DHCP Hostname Command Injection Vulnerability (TID 97011) is an OS command injection flaw that allows command execution attempts through the DHCP Hostname fields. This vulnerability has coverage related to CVE-2025-69542 and CVE-2025-14659, such as the DIR-895LA1 which targets D-Link devices and DIR-860LB1, respectively.
Previous Detection Logic
The initial detection logic for TID 97011 included a command-filtering string within DHCP hostname fields that lacked strict boundary delimiters
Root Cause
The false positive (FP) occurred because the signature's command-validation logic triggered against legitimate hostnames containing the targeted command string as a substring. This broad matching behavior resulted in unintended traffic disruptions for multiple customers.
Proposed Solutions & Mitigation
We improved the signature logic to make it more resilient against false positives. The updated signature has been released with content 9105-10068.
Trusted by 1,000+ teams
The Status Page Aggregator with Early Outage Detection
Stop finding out about outages from your users. Monitor 6,320+ cloud services and get alerted the second something breaks.
Latest Updates ( sorted recent to last )
RESOLVED
20 days ago - at 05/23/2026 01:05AM
Issue Description
On May 21, 2026, customers reported their traffic being blocked due to TID 97011: “D-Link Router DHCP Hostname Command Injection Vulnerability”, the TID was designed to block OS Command Injection attempts within the hostname fields of DHCP requests. However, the signature included a broad command-matching filter that led to false positives across customer environments, as it incorrectly triggered on legitimate hostnames containing overlapping character strings.
Findings and Technical Analysis
The D-Link Router DHCP Hostname Command Injection Vulnerability (TID 97011) is an OS command injection flaw that allows command execution attempts through the DHCP Hostname fields. This vulnerability has coverage related to CVE-2025-69542 and CVE-2025-14659, such as the DIR-895LA1 which targets D-Link devices and DIR-860LB1, respectively.
Previous Detection Logic
The initial detection logic for TID 97011 included a command-filtering string within DHCP hostname fields that lacked strict boundary delimiters
Root Cause
The false positive (FP) occurred because the signature's command-validation logic triggered against legitimate hostnames containing the targeted command string as a substring. This broad matching behavior resulted in unintended traffic disruptions for multiple customers.
Proposed Solutions & Mitigation
We improved the signature logic to make it more resilient against false positives. The updated signature has been released with content 9105-10068.
Latest Palo Alto Networks outages
API Gateway is currently experiencing an issue. - 1 day ago
Prisma Cloud Application Security - Degraded - 7 days ago
WildFire Issue - 11 days ago
WildFire Issue in Global Cloud - 11 days ago
The Status Page Aggregator with Early Outage Detection
With IsDown, you can monitor all your critical services' official status pages from one centralized dashboard and receive instant alerts the moment an outage is detected. Say goodbye to constantly checking multiple sites for updates and stay ahead of outages with IsDown.
Start free trialNo credit card required · Cancel anytime · 6320 services available
Integrations with
