^{CVE-2024-9474:}Privilege escalation vulnerability in Palo Alto Networks PAN-OS web management interface that could allow a PAN-OS administrator with access to the management UI to perform actions on the firewall with root privileges; Cloud NGFW and Prisma Access are not affected; affects multiple PAN-OS releases prior to the fixes.

PAN-OS contains a privilege escalation flaw that can let a PAN-OS administrator who has access to the management web interface perform actions on the firewall with root privileges. This issue, classified as OS Command Injection (CWE-78), affects multiple PAN-OS branches and is exploitable over the network when the management interface is reachable from an attacker. Cloud NGFW and Prisma Access are not impacted. The risk is highest when the management interface is exposed to the Internet or available to untrusted networks. Palo Alto Networks has observed threat activity exploiting this vulnerability against some internet-facing management interfaces. Fixed versions include PAN-OS 10.1.14-h6, 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, 11.2.4-h1, and later. The advisory also notes a broad upgrade path across maintenance releases to facilitate patching. Mitigations emphasize securing management access, specifically restricting management interface access to trusted internal IPs and following best-practice deployment guidelines for administrative access. The vulnerability is tracked under CVSS v4.0 with a medium base severity, highlighting the importance of timely patching and proper access controls.

Overview

This CVE details a privilege escalation vector in PAN-OS via the web management interface that enables a management UI administrator to execute actions with root privileges on the firewall. The issue is characterized as OS Command Injection and is triggered over the network, with the highest risk when the management interface is exposed to the Internet or to untrusted networks. Affected PAN-OS versions span multiple branches (10.1.x, 10.2.x, 11.0.x, 11.1.x, 11.2.x) prior to fixed releases. Cloud NGFW and Prisma Access are not affected. Exploitation has been observed against internet-facing management interfaces, reinforcing the need for immediate remediation. Palo Alto Networks provides fixed versions and a broad upgrade path, and recommends limiting management access to trusted internal IPs as a primary mitigation. The CVSS metrics reflect a network-based, high-privilege requirement with root-level impact under exploitation, and the vulnerability is associated with a high level of vigilance in monitoring exposed management interfaces.

Remediation

• Upgrade to a fixed PAN-OS version as soon as feasible. The affected lines have fixes in PAN-OS 10.1.14-h6, 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, 11.2.4-h1, and all later PAN-OS versions. Coordinate with your change management process to plan a safe upgrade path across the supported branches (including intermediate maintenance releases if needed).
• If immediate upgrade is not possible, implement strong network-based mitigations:
  • Restrict management interface access to trusted internal IP addresses only; block or segregate internet exposure to mgmt interfaces.
  • Place management interfaces behind VPNs or jump hosts and disable direct internet access to the management plane.
  • Enforce best-practice administrative access controls (least privilege, break-glass procedures, MFA for admin accounts, and regular account auditing) per the vendor’s deployment guidelines.
• Proactively identify and remediate assets with internet-facing management interfaces:
  • Use the Asset Remediation workflow in the Customer Support Portal to locate devices flagged for remediation.
  • Apply compensating controls where patches are delayed, and implement monitoring for management-access activity.
• Validate fixes post-deployment:
  • Verify that PAN-OS has been updated to a fixed version on all affected devices.
  • Review management-interface access logs for unusual activity and ensure firewall policies prevent unauthorized exposure.
• Stay informed with the vendor’s advisories and follow up with additional maintenance releases as they become available to ensure continued protection.

References

• Palo Alto Networks advisory for CVE-2024-9474: https://security.paloaltonetworks.com/CVE-2024-9474
• CISA Known Exploited Vulnerabilities Catalog entry for CVE-2024-9474: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2024-9474
• WatchTower Labs: Pots and Pans aka an SSLVPN Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474: https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/
• GitHub exploit repository for CVE-2024-9474: https://github.com/k4nfr3/CVE-2024-9474
• Unit42 overview related to the CVE: https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
• Palo Alto Networks LIVEcommunity guidance on securing management access: https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431
• PAN-OS best practices for administrative access: https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices