🗓️ Sign up for the 2025 runZero Hour webcast series and never miss a new episode! Register Now

On This Page:

  1. Latest Palo Alto Vulnerabilities
  2. November 2024 (Multiple CVEs)
  3. CVE-2024-5910, CVE-2024-9463, and CVE-2024-9465
  4. October 10, 2024 vulnerabilities
  5. CVE-2024-3400

How to find Palo Alto Network devices running PAN-OS

Blain Smith
runZero Team
Tom Sellers
|
Updated

Latest Palo Alto Vulnerabilities #

On February 12, 2025 Palo Alto Networks (PAN) has issued multiple security advisories for vulnerabilities in PAN-OS.

  • CVE-2025-0108 is rated high with a CVSS score of 7.8. Successful exploitation of this vulnerability would allow a remote unauthenticated attacker to bypass authentication and run certain scripts.
  • CVE-2025-0109 is rated medium with a CVSS score of 5.5. Successful exploitation of this vulnerability would allow a remote unauthenticated attacker to delete certain files as the "nobody" user. This includes certain logs and configuration files but not system files.

What is the impact? #

An attacker that can access the web administration interface of a device running PAN-OS can execute certain scripts or delete certain files.

Are updates or workarounds available? #

Palo Alto has released updates to address this vulnerability, and strongly recommends that users update as quickly as possible. They also recommend that users restrict access to vulnerable systems' web interfaces as quickly as possible, and prior to applying any updates.

How to find PAN-OS systems on your network #

From the Asset Inventory you can use the following query to locate potentially vulnerable systems:

os:"PAN-OS"


November 2024 (Multiple CVEs) #

On November 18, 2024 Palo Alto Networks (PAN) issued a security advisory for a vulnerability that allows an unauthenticated attacker with access to the system's management PAN-OS web interface to gain administrator privileges on the device. There is limited evidence that CVE-2024-0012 is being exploited in the wild. This vulnerability is rated as critical with a 9.3 CVSS score. 

What is the impact? #

An attacker that can access the web administration interface of a device running PAN-OS can gain administrative privileges on the system. This would allow the attacker control over the system, and additionally may allow the attacker paths to further exploits (for example, CVE-2024-9474).

Palo Alto has indicated that there is limited evidence of exploitation of this vulnerability in the wild. Palo Alto's Unit 42 research organization has authored a writeup on the vulnerability that includes some Indicators of Compromise (IoCs).

Note that CISA (the Cybersecurity and Infrastructure Security Agency) has added CVE-2024-0012 and CVE-2024-9474 to their Known Exploited Vulnerabilities catalog.

Are updates or workarounds available? #

Palo Alto has released updates to address this vulnerability, and strongly recommends that users update as quickly as possible. They also recommend that users restrict access to vulnerable systems' web interfaces as quickly as possible, and prior to applying any updates.

How to find PAN-OS systems on your network #

From the Asset Inventory you can use the following query to locate potentially vulnerable systems:

os:"PAN-OS"


CVE-2024-5910, CVE-2024-9463, and CVE-2024-9465 #

Palo Alto Networks (PAN) updated a security advisory advising customers to restrict access to the management interface of Next-Generation Firewalls (NGFW) due to an actively exploited zero-day vulnerability.

CISA announced that CVE-2024-5910, which was patched in July, is actively being exploited and was added to the Known Exploited Vulnerabilities (KEV) Catalog. Although not directly affecting PAN-OS, this vulnerability affects the Expedition migration tool, which could contain API keys, administrator credentials, and/or PAN-OS device configuration information.

Additionally, CISA announced that both CVE-2024-9463 (CVSS 9.9) and CVE-2024-9465 (CVSS 9.3) are actively being exploited and were also added to the Known Exploited Vulnerabilities (KEV) Catalog. Both vulnerabilities also affect the Expedition migration tool.

    What is the impact? #

    Although no specific details of a remote code execution vulnerability were disclosed within the advisory, Palo Alto is actively investigating an active exploitation of a zero-day vulnerability against the management interfaces of NGFWs exposed to the public Internet.

    CVE-2024-5910 allows for a remote attacker to reset application admin credentials on Expedition servers. Additionally, successful exploitation of the other two vulnerabilities above could allow for a remote attacker to execute arbitrary OS commands or reveal the contents of the underlying database.

    Are updates or workarounds available? #

    Within the advisory, Palo Alto recommends restricting access to the management interface. Additionally, they advise following a set of best practices to secure the management interface. 

    Palo Alto Networks released a patch for CVE-2024-5910 in July.

    How to find PAN-OS systems on your network #

    From the Asset Inventory you can use the following query to locate potentially vulnerable systems:

    os:"PAN-OS" type:"Firewall"

    How to find Expedition servers on your network #

    From the Service Inventory you can use the following query to locate potentially vulnerable systems:

    html.title:="Expedition Project"

    October 10, 2024 vulnerabilities #

    Palo Alto Networks (PAN) released a security advisory with multiple vulnerabilities on PAN-OS firewalls that could lead to admin account takeover.

    • CVE-2024-9463 is rated critical with CVSS score of 9.9, is an OS command injection vulnerability and potentially allows for  and execution of OS commands as root.
    • CVE-2024-9464 is rated critical with CVSS score of 9.3, is an OS command injection vulnerability and potentially allows for the execution of OS commands as root.
    • CVE-2024-9465 is rated critical with CVSS score of 9.2, is a SQL injection vulnerability and potentially allows a remote unauthenticated attacker to read the contents of the Expedition database.
    • CVE-2024-9466 is rated high with CVSS score of 8.2, and potentially allows for an authenticated user to read sensitive information including passwords and API keys.
    • CVE-2024-9467 is rated high with CVSS score of 7.0, is an XSS vulnerability and potentially allows for execution of malicious JavaScript code that could result in session hijacking.

    If chained together through an exploit, a firewall running the vulnerable software could be completely taken over by an unauthenticated remote attacker. For more information, the team that disclosed the vulnerabilities to Palo Alto Networks, published a detailed analysis. According to the vendor, there was no known malicious exploitation of vulnerable systems at the time.

    According to Palo Alto Networks, "The fixes for all listed issues are available in Expedition 1.2.96, and all later Expedition versions." They also recommended rotating all passwords and API keys after applying the latest patch to prevent future unauthorized access. Refer to the Workarounds and Mitigations section of the security advisory for information about potential workarounds and additional advice.

    CVE-2024-3400 #

    Palo Alto Networks (PAN) disclosed that certain versions of their PAN-OS software had a vulnerability that allowed for remote command injection.

    CVE-2024-3400 was rated critical with CVSS score of 9.8 and indicated an unauthenticated attacker could execute arbitrary code with root privileges on the firewall. The vendor indicated that there was evidence of limited exploitation in the wild.

    watchTowr posted a detailed analysis including the details needed for exploitation. This analysis covered two separate vulnerabilities; an arbitrary file creation vulnerability in the session handler, and a shell metacharacter injection issue that lead to remote execution through the telemetry script. PAN updated their guidance to state that "Disabling device telemetry is no longer an effective mitigation".

    The following PAN-OS versions were affected by this vulnerability.

    Version

    Affected

    Unaffected

    PAN-OS 11.1

    < 11.1.2-h3

    >= 11.1.2-h3 (hotfix ETA: By 4/14)

    PAN-OS 11.0

    < 11.0.4-h1

    >= 11.0.4-h1 (hotfix ETA: By 4/14)

    PAN-OS 10.2

    < 10.2.9-h1

    >= 10.2.9-h1 (hotfix ETA: By 4/14)

    Palo Alto Networks indicated that PAN-OS 11.1, 11.0, and 10.2 versions with the configurations for both GlobalProtect gateway and device telemetry enabled.

    Customers could verify this by checking for entries in the firewall web interface (Network > GlobalProtect > Gateways) and verify whether device telemetry was enabled by checking the firewall web interface (Device > Setup > Telemetry).

    Palo Alto Networks recommended that customers with a Threat Prevention subscription block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682) and applying vulnerability protection to GlobalProtect interfaces.

    It was also recommended that telemetry be disabled until devices could be upgraded to an unaffected version of PAN-OS.

    Written by Blain Smith

    Blain Smith is a Security Research Engineer at runZero. He spent most of his career in cloud and distributed systems for AAA gaming, entertainment, and networking working on some of the most popular games and systems millions of people play and watch daily. He has given numerous talks at conferences such as TEDx, GopherCon, and P99CONF. His shift into infosec has afforded him the ability to apply his distributed systems and networking knowledge to other industries such as IoT and OT.

    More about Blain Smith

    Written by runZero Team

    Due to the nature of their research and out of respect for their privacy, runZero team members prefer to remain anonymous. Their work is published under the runZero name.

    More about runZero Team

    Written by Tom Sellers

    Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has built and operated Internet scale scanning and honeypot projects. He is credited on many patents for network deception techonology. A strong believer in Open Source he has contributed to projects such as Nmap, Metasploit, and Recog.

    More about Tom Sellers
    Subscribe Now

    Get the latest news and expert insights delivered in your inbox.

    Welcome to the club! Your subscription to our newsletter is successful.

    Explore more

    Webcasts
    The Unreasonable Effectiveness of Inside Out Attack Surface Management
    HD Moore, founder of runZero (and previously Metasploit), presents new research that will forever redefine how you approach attack surface...
    Watch Now
    Webcasts
    Safeguarding OT/ICS Assets: Insights from the U.S. Department of Energy
    Security experts from the National Renewable Energy Lab’s (NREL) Clean Energy Cybersecurity Accelerator™ (CECA) program join runZero to discuss...
    Watch Now
    runZero Insights
    Ensure compliance with DORA’s ICT risk framework using runZero
    Learn how to uncover unmanaged and unknown assets— including IT, OT, and IoT— to meet DORA's hidden risk requirements using runZero.
    Read More
    Talks
    DEF CON 32: SSHamble: Unexpected Exposures in SSH (Video)
    This talk digs deep into SSH, the lesser-known implementations, many of the surprising security issues found along the way, and how to exploit them.
    Watch Now

    See Results in Minutes

    Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

    Try It Free
    icon-bluesky
    © Copyright 2025 runZero, Inc. All Rights Reserved