CVE-2024-0012

CVE-2024-0012 is a critical-severity vulnerability in Paloaltonetworks Pan-os with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-11-18). The underlying weakness is classified as CWE-306.

Key facts

Description

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 . The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended  best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

CVE-2024-0012: Palo Alto PAN-OS Management Interface Authentication Bypass

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2024-0012
Vendor Palo Alto Networks
Product PAN-OS
CVSS v3 9.8 (CRITICAL)
CVSS v4 9.3 (CRITICAL)
CWE CWE-306: Missing Authentication for Critical Function
EPSS 0.99698 (99.95th percentile)
KEV Yes — CISA KEV (2024-11-18)
EU Exploited Yes (since 2024-11-18)

Summary

CVE-2024-0012 is a critical authentication bypass vulnerability in the management web interface of Palo Alto Networks PAN-OS firewall software. An unauthenticated attacker with network reachability to the management interface can bypass authentication entirely and gain PAN-OS administrator privileges. This enables arbitrary administrative actions, configuration tampering, and chaining with other authenticated privilege escalation vulnerabilities such as CVE-2024-9474.

Background

PAN-OS is the operating system powering Palo Alto Networks' next-generation firewalls and Prisma Access edge devices. The management web interface provides administrators with a centralised control plane for policy configuration, monitoring, and device maintenance. Because this interface is intended to be reachable only from trusted internal networks under recommended deployment practices, its exposure to untrusted networks significantly increases organisational risk.

This vulnerability was disclosed by Palo Alto Networks PSIRT on 18 November 2024 alongside CVE-2024-9474, an authenticated command injection issue. The two vulnerabilities have been actively exploited in the wild as a combined attack chain.

Root Cause

CWE-306: Missing Authentication for Critical Function

The root cause lies in a flaw within the management web interface's authentication enforcement logic. Under specific request conditions, the interface fails to validate that an incoming session is authenticated before granting access to privileged administrative endpoints. This effectively treats an unauthenticated request as an authenticated, highly privileged session. The defect is present in the web-application layer of PAN-OS and does not require valid credentials, session tokens, or prior access to exploit.

Impact

The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H yields a base score of 9.8 (Critical):

  • Attack Vector (AV): Network — exploitable remotely without physical or adjacent network access.
  • Attack Complexity (AC): Low — no special conditions, race conditions, or advanced techniques required.
  • Privileges Required (PR): None — no valid credentials needed.
  • User Interaction (UI): None — fully automated exploitation possible.
  • Scope (S): Unchanged — impact remains within the vulnerable component.
  • Confidentiality, Integrity, Availability (C/I/A): All High — full administrative control permits data exfiltration, configuration modification, and service disruption.

The CVSS v4.0 score of 9.3 (Critical) reaffirms the severity, with high impacts on vendor-controlled confidentiality, integrity, and availability (VC:H/VI:H/VA:H).

Successful exploitation grants an attacker the equivalent of a PAN-OS superuser, allowing:

  • Modification of security policies and NAT rules
  • Creation of backdoor administrator accounts
  • Exfiltration of configuration backups and logs
  • Pivot to CVE-2024-9474 for OS-level command execution

Exploitation Walkthrough (Defensive Perspective)

Ethics caveat: The following description is provided for defensive awareness, detection engineering, and patch prioritisation only. No weaponised exploit code is included.

  1. Reconnaissance: The attacker identifies a publicly reachable or internally accessible PAN-OS management web interface (typically TCP/443 on the management IP).
  2. Triggering the bypass: The attacker sends a crafted HTTP request to an administrative endpoint. Due to the authentication logic flaw, the request is processed as an authenticated administrative session without presenting valid credentials.
  3. Session establishment: The attacker obtains a valid administrative session or token, enabling full GUI or API access.
  4. Post-exploitation: With administrative access, the attacker may export configurations, modify policies, create persistence mechanisms, or chain to CVE-2024-9474 for root-level shell access.

Detection opportunities exist at each stage: unexpected source IPs hitting /php/login.php or /api/ paths, rapid sequential requests without prior successful login events, and anomalous administrative API calls from new sessions.

Affected and Patched Versions

Affected:

  • PAN-OS 10.2 (all maintenance and hotfix versions through 10.2.12-h1)
  • PAN-OS 11.0 (all maintenance and hotfix versions through 11.0.6)
  • PAN-OS 11.1 (all maintenance and hotfix versions through 11.1.5)
  • PAN-OS 11.2 (all maintenance and hotfix versions through 11.2.4)

Not Affected:

  • PAN-OS 9.1 and earlier
  • PAN-OS 10.0, 10.1
  • Cloud NGFW
  • Prisma Access

Patched:

  • Upgrade to a fixed release as advised by Palo Alto Networks PSIRT (refer to vendor security advisory for specific hotfix availability).

Remediation

  1. Upgrade immediately to a patched PAN-OS version per Palo Alto Networks guidance. Prioritise firewalls with management interfaces exposed to broader network segments.
  2. Restrict management access to strictly trusted internal IP addresses or dedicated out-of-band management networks. This is the vendor's recommended best-practice deployment guideline and materially reduces exploitability.
  3. Disable management interface exposure to untrusted or public-facing networks entirely where possible.
  4. Review administrator accounts for unauthorised additions or privilege changes.
  5. Audit security policies and NAT rules for unexpected modifications.
  6. Rotate credentials for all PAN-OS administrative accounts, API keys, and associated service accounts as a precautionary control.

Detection

  • Network: Monitor for inbound HTTP/HTTPS connections to PAN-OS management IPs from unexpected source ranges.
  • Logs: Correlate successful administrative API or GUI actions with absent or failed preceding authentication events.
  • SIEM rules: Alert on rapid sequences of requests to /php/login.php followed by administrative API calls (/api/?type=op, /api/?type=config) from the same source without an intervening login success.
  • Endpoint/Host: Compare running configuration against known-good backups to detect tampered policies or added accounts.

Assessment

With an EPSS score of 0.99698 (99.95th percentile) and confirmed inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog within hours of disclosure, CVE-2024-0012 represents an exceptionally high-probability, high-impact threat. The EU's concurrent exploitation flag (EUVD-2024-15815, active since 2024-11-18) further confirms that threat actors are weaponising this flaw at scale.

Key lessons:

  • Management plane exposure remains one of the highest-risk configurations in network security appliances. Even "temporary" or "convenience" exposure to broader networks creates critical attack surface.
  • Authentication bypasses in privileged interfaces are among the most severe vulnerability classes because they collapse the entire trust boundary of the device. Network segmentation and strict access controls are essential compensating controls, but they do not replace timely patching.

References

Frequently asked questions

What is CVE-2024-0012?
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 . The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended  best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.
How severe is CVE-2024-0012?
CVE-2024-0012 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2024-0012 being actively exploited?
Yes. CVE-2024-0012 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-11-18, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-0012?
CVE-2024-0012 primarily affects Paloaltonetworks Pan-os. In total, 117 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2024-0012?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-0012 have an EU (EUVD) identifier?
Yes. CVE-2024-0012 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-15815. It is also flagged as exploited in the EUVD (since 2024-11-18).
When was CVE-2024-0012 published?
CVE-2024-0012 was published on 2024-11-18 and last updated on 2026-06-17.

References

Affected products (117)

More vulnerabilities in Paloaltonetworks Pan-os

All CVEs affecting Paloaltonetworks Pan-os →

Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities

Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →