CVE-2024-9474:

Privilege escalation vulnerability in Palo Alto Networks PAN-OS web management interface that could allow a PAN-OS administrator with access to the management UI to perform actions on the firewall with root privileges; Cloud NGFW and Prisma Access are not affected; affects multiple PAN-OS releases prior to the fixes.

Score
A numerical rating that indicates how dangerous this vulnerability is.

7.2High

Published Date:Nov 18, 2024
CISA KEV Date:Nov 18, 2024
Industries Affected:20

Threat Predictions

EPSS Score:94.2
EPSS Percentile:100%

Exploitability

Score:1.2
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:HIGH
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.9
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Overview

This CVE details a privilege escalation vector in PAN-OS via the web management interface that enables a management UI administrator to execute actions with root privileges on the firewall. The issue is characterized as OS Command Injection and is triggered over the network, with the highest risk when the management interface is exposed to the Internet or to untrusted networks. Affected PAN-OS versions span multiple branches (10.1.x, 10.2.x, 11.0.x, 11.1.x, 11.2.x) prior to fixed releases. Cloud NGFW and Prisma Access are not affected. Exploitation has been observed against internet-facing management interfaces, reinforcing the need for immediate remediation. Palo Alto Networks provides fixed versions and a broad upgrade path, and recommends limiting management access to trusted internal IPs as a primary mitigation. The CVSS metrics reflect a network-based, high-privilege requirement with root-level impact under exploitation, and the vulnerability is associated with a high level of vigilance in monitoring exposed management interfaces.

Remediation

Upgrade to a fixed PAN-OS version as soon as feasible. The affected lines have fixes in PAN-OS 10.1.14-h6, 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, 11.2.4-h1, and all later PAN-OS versions. Coordinate with your change management process to plan a safe upgrade path across the supported branches (including intermediate maintenance releases if needed).
If immediate upgrade is not possible, implement strong network-based mitigations:
Restrict management interface access to trusted internal IP addresses only; block or segregate internet exposure to mgmt interfaces.
Place management interfaces behind VPNs or jump hosts and disable direct internet access to the management plane.
Enforce best-practice administrative access controls (least privilege, break-glass procedures, MFA for admin accounts, and regular account auditing) per the vendor’s deployment guidelines.
Proactively identify and remediate assets with internet-facing management interfaces:
Use the Asset Remediation workflow in the Customer Support Portal to locate devices flagged for remediation.
Apply compensating controls where patches are delayed, and implement monitoring for management-access activity.
Validate fixes post-deployment:
Verify that PAN-OS has been updated to a fixed version on all affected devices.
Review management-interface access logs for unusual activity and ensure firewall policies prevent unauthorized exposure.
Stay informed with the vendor’s advisories and follow up with additional maintenance releases as they become available to ensure continued protection.