CVE-2024-0012
CVE-2024-0012 is a critical-severity vulnerability in Paloaltonetworks Pan-os with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-11-18). The underlying weakness is classified as CWE-306.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v4: 9.3
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-11-18)
- EU (EUVD) id: EUVD-2024-15815
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-11-18)
- Weakness: CWE-306
- Affected product: Paloaltonetworks Pan-os
- Published:
- Last modified:
Description
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 . The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.
CVE-2024-0012: Palo Alto PAN-OS Management Interface Authentication Bypass
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-0012 |
| Vendor | Palo Alto Networks |
| Product | PAN-OS |
| CVSS v3 | 9.8 (CRITICAL) |
| CVSS v4 | 9.3 (CRITICAL) |
| CWE | CWE-306: Missing Authentication for Critical Function |
| EPSS | 0.99698 (99.95th percentile) |
| KEV | Yes — CISA KEV (2024-11-18) |
| EU Exploited | Yes (since 2024-11-18) |
Summary
CVE-2024-0012 is a critical authentication bypass vulnerability in the management web interface of Palo Alto Networks PAN-OS firewall software. An unauthenticated attacker with network reachability to the management interface can bypass authentication entirely and gain PAN-OS administrator privileges. This enables arbitrary administrative actions, configuration tampering, and chaining with other authenticated privilege escalation vulnerabilities such as CVE-2024-9474.
Background
PAN-OS is the operating system powering Palo Alto Networks' next-generation firewalls and Prisma Access edge devices. The management web interface provides administrators with a centralised control plane for policy configuration, monitoring, and device maintenance. Because this interface is intended to be reachable only from trusted internal networks under recommended deployment practices, its exposure to untrusted networks significantly increases organisational risk.
This vulnerability was disclosed by Palo Alto Networks PSIRT on 18 November 2024 alongside CVE-2024-9474, an authenticated command injection issue. The two vulnerabilities have been actively exploited in the wild as a combined attack chain.
Root Cause
CWE-306: Missing Authentication for Critical Function
The root cause lies in a flaw within the management web interface's authentication enforcement logic. Under specific request conditions, the interface fails to validate that an incoming session is authenticated before granting access to privileged administrative endpoints. This effectively treats an unauthenticated request as an authenticated, highly privileged session. The defect is present in the web-application layer of PAN-OS and does not require valid credentials, session tokens, or prior access to exploit.
Impact
The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H yields a base score of 9.8 (Critical):
- Attack Vector (AV): Network — exploitable remotely without physical or adjacent network access.
- Attack Complexity (AC): Low — no special conditions, race conditions, or advanced techniques required.
- Privileges Required (PR): None — no valid credentials needed.
- User Interaction (UI): None — fully automated exploitation possible.
- Scope (S): Unchanged — impact remains within the vulnerable component.
- Confidentiality, Integrity, Availability (C/I/A): All High — full administrative control permits data exfiltration, configuration modification, and service disruption.
The CVSS v4.0 score of 9.3 (Critical) reaffirms the severity, with high impacts on vendor-controlled confidentiality, integrity, and availability (VC:H/VI:H/VA:H).
Successful exploitation grants an attacker the equivalent of a PAN-OS superuser, allowing:
- Modification of security policies and NAT rules
- Creation of backdoor administrator accounts
- Exfiltration of configuration backups and logs
- Pivot to CVE-2024-9474 for OS-level command execution
Exploitation Walkthrough (Defensive Perspective)
Ethics caveat: The following description is provided for defensive awareness, detection engineering, and patch prioritisation only. No weaponised exploit code is included.
- Reconnaissance: The attacker identifies a publicly reachable or internally accessible PAN-OS management web interface (typically TCP/443 on the management IP).
- Triggering the bypass: The attacker sends a crafted HTTP request to an administrative endpoint. Due to the authentication logic flaw, the request is processed as an authenticated administrative session without presenting valid credentials.
- Session establishment: The attacker obtains a valid administrative session or token, enabling full GUI or API access.
- Post-exploitation: With administrative access, the attacker may export configurations, modify policies, create persistence mechanisms, or chain to CVE-2024-9474 for root-level shell access.
Detection opportunities exist at each stage: unexpected source IPs hitting /php/login.php or /api/ paths, rapid sequential requests without prior successful login events, and anomalous administrative API calls from new sessions.
Affected and Patched Versions
Affected:
- PAN-OS 10.2 (all maintenance and hotfix versions through 10.2.12-h1)
- PAN-OS 11.0 (all maintenance and hotfix versions through 11.0.6)
- PAN-OS 11.1 (all maintenance and hotfix versions through 11.1.5)
- PAN-OS 11.2 (all maintenance and hotfix versions through 11.2.4)
Not Affected:
- PAN-OS 9.1 and earlier
- PAN-OS 10.0, 10.1
- Cloud NGFW
- Prisma Access
Patched:
- Upgrade to a fixed release as advised by Palo Alto Networks PSIRT (refer to vendor security advisory for specific hotfix availability).
Remediation
- Upgrade immediately to a patched PAN-OS version per Palo Alto Networks guidance. Prioritise firewalls with management interfaces exposed to broader network segments.
- Restrict management access to strictly trusted internal IP addresses or dedicated out-of-band management networks. This is the vendor's recommended best-practice deployment guideline and materially reduces exploitability.
- Disable management interface exposure to untrusted or public-facing networks entirely where possible.
- Review administrator accounts for unauthorised additions or privilege changes.
- Audit security policies and NAT rules for unexpected modifications.
- Rotate credentials for all PAN-OS administrative accounts, API keys, and associated service accounts as a precautionary control.
Detection
- Network: Monitor for inbound HTTP/HTTPS connections to PAN-OS management IPs from unexpected source ranges.
- Logs: Correlate successful administrative API or GUI actions with absent or failed preceding authentication events.
- SIEM rules: Alert on rapid sequences of requests to
/php/login.phpfollowed by administrative API calls (/api/?type=op,/api/?type=config) from the same source without an intervening login success. - Endpoint/Host: Compare running configuration against known-good backups to detect tampered policies or added accounts.
Assessment
With an EPSS score of 0.99698 (99.95th percentile) and confirmed inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog within hours of disclosure, CVE-2024-0012 represents an exceptionally high-probability, high-impact threat. The EU's concurrent exploitation flag (EUVD-2024-15815, active since 2024-11-18) further confirms that threat actors are weaponising this flaw at scale.
Key lessons:
- Management plane exposure remains one of the highest-risk configurations in network security appliances. Even "temporary" or "convenience" exposure to broader networks creates critical attack surface.
- Authentication bypasses in privileged interfaces are among the most severe vulnerability classes because they collapse the entire trust boundary of the device. Network segmentation and strict access controls are essential compensating controls, but they do not replace timely patching.
References
- https://security.paloaltonetworks.com/CVE-2024-0012
- https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
- https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-0012
Frequently asked questions
- What is CVE-2024-0012?
- An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 . The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.
- How severe is CVE-2024-0012?
- CVE-2024-0012 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-0012 being actively exploited?
- Yes. CVE-2024-0012 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-11-18, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-0012?
- CVE-2024-0012 primarily affects Paloaltonetworks Pan-os. In total, 117 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-0012?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-0012 have an EU (EUVD) identifier?
- Yes. CVE-2024-0012 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-15815. It is also flagged as exploited in the EUVD (since 2024-11-18).
- When was CVE-2024-0012 published?
- CVE-2024-0012 was published on 2024-11-18 and last updated on 2026-06-17.
References
- https://security.paloaltonetworks.com/CVE-2024-0012
- https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
- https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-0012
Affected products (117)
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h1:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h2:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h3:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h1:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h2:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h2:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h4:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h5:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h11:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h12:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h13:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h2:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h4:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h9:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h1:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h4:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h6:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h1:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h3:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h12:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h16:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h3:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h6:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h8:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:-:*:*:*:*:*:*
More vulnerabilities in Paloaltonetworks Pan-os
- CVE-2024-3400 — Critical (CVSS 10.0): A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto…
- CVE-2020-2021 — Critical (CVSS 10.0): When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider…
- CVE-2019-17440 — Critical (CVSS 10.0): Improper restriction of communications to Log Forwarding Card (LFC) on PA-7000 Series devices with second-generation…
- CVE-2012-6603 — Critical (CVSS 10.0): The web management UI in Palo Alto Networks PAN-OS before 3.1.12, 4.0.x before 4.0.10, and 4.1.x before 4.1.4 allows…
- CVE-2012-6601 — Critical (CVSS 10.0): The device-management command-line interface in Palo Alto Networks PAN-OS before 3.1.12, 4.0.x before 4.0.10, and 4.1.x…
- CVE-2012-6593 — Critical (CVSS 10.0): Palo Alto Networks PAN-OS before 3.1.10 and 4.0.x before 4.0.4 allows remote attackers to execute arbitrary commands…
All CVEs affecting Paloaltonetworks Pan-os →
Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities
- CVE-2026-54309 — Critical (CVSS 10.0): n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP…
- CVE-2026-50242 — Critical (CVSS 10.0): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429…
- CVE-2026-49257 — Critical (CVSS 10.0): mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1…
- CVE-2026-46846 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46803 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46800 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites).…
Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →