CVE-2024-9474
CVE-2024-9474 is a high-severity vulnerability in Paloaltonetworks Pan-os with a CVSS 3.x base score of 7.2. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-11-18). The underlying weakness is classified as CWE-78.
Key facts
- Severity: High (CVSS 3.x base score 7.2)
- CVSS v4: 6.9
- EPSS exploit prediction: 95% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-11-18)
- EU (EUVD) id: EUVD-2024-50354
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-11-18)
- Weakness: CWE-78
- Affected product: Paloaltonetworks Pan-os
- Published:
- Last modified:
Description
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Cloud NGFW and Prisma Access are not impacted by this vulnerability.
CVE-2024-9474: PAN-OS Management Interface Privilege Escalation (CWE-78)
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-9474 |
| Vendor | Palo Alto Networks |
| Product | PAN-OS |
| CWE | CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| CVSS 3.1 | 7.2 (HIGH) — AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVSS 4.0 | 6.9 (MEDIUM) |
| EPSS | 0.94766 (99.85th percentile) |
| CISA KEV | Listed (2024-11-18) |
| EU Exploited | Yes (since 2024-11-18) |
| Published | 2024-11-18 |
Summary
A privilege escalation vulnerability exists in Palo Alto Networks PAN-OS software that allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Cloud NGFW and Prisma Access are not impacted by this vulnerability.
Background
PAN-OS is the operating system that powers Palo Alto Networks' next-generation firewalls. The management web interface provides administrators with a browser-based console for device configuration, policy management, and monitoring. Because this interface operates at a high trust boundary within the network architecture, any vulnerability that bypasses role-based access controls carries disproportionate risk. This flaw was disclosed alongside related issues and has drawn significant attention from both researchers and threat actors.
Root Cause
CWE-78: OS Command Injection
The underlying issue stems from improper neutralization of user-supplied input before it is passed to underlying operating system shell commands within the management web interface. An authenticated administrator can inject shell metacharacters or command separators into a parameter that the backend executes with elevated privileges. Because the management service runs with root-level permissions on the appliance, successful injection results in arbitrary command execution as root rather than as a restricted administrative user.
Impact
The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) scores this vulnerability at 7.2 (HIGH). The network attack vector means the management interface must be reachable, but once an attacker obtains valid administrative credentials or compromises an admin account, exploitation is straightforward (low attack complexity). The impact triad is HIGH across confidentiality, integrity, and availability — an attacker with root access can exfiltrate configuration files, modify security policies, install persistence mechanisms, or render the device inoperable.
With an EPSS score of 0.94766, this vulnerability sits in the top 0.15% of CVEs by predicted exploitation probability, strongly indicating active or imminent weaponization.
Exploitation Walkthrough
Ethics caveat: The following description is provided for defensive awareness only. It explains the attack surface and prerequisites conceptually; no weaponized exploit code is included.
Prerequisites:
- Network reachability to the PAN-OS management web interface (typically TCP/443 on the management plane)
- Valid PAN-OS administrative credentials (or a compromised admin session)
Attack flow (conceptual):
- The attacker authenticates to the management web interface using legitimate or stolen admin credentials.
- The attacker navigates to a functionality that accepts user input and passes it to a backend shell command without adequate sanitization.
- By supplying input containing shell metacharacters (for example, command chaining operators), the attacker interrupts the intended command and injects arbitrary operating system commands.
- Because the backend process runs as root, the injected commands execute with full system privileges, granting the attacker complete control over the firewall appliance.
Defensive value: This is not a remote, unauthenticated exploit — it requires admin access. However, it collapses the security boundary between "administrator" and "root operator," meaning a compromised admin account or insider threat becomes a full device compromise. Organizations should treat admin credentials for PAN-OS management interfaces as Tier 0 assets.
Affected and Patched Versions
According to NVD CPE data, the following PAN-OS versions are listed as affected:
- PAN-OS 10.1.14 (and hotfix revisions h2, h4)
- PAN-OS 10.2.12 (and hotfix revision h1)
- PAN-OS 11.0.6
- PAN-OS 11.1.5
- PAN-OS 11.2.4
Note: The full range of affected versions and corresponding patched releases is documented in the official Palo Alto Networks security advisory. Administrators should consult the vendor bulletin (see References) to confirm whether their specific maintenance release is vulnerable and to obtain the correct patched version.
Remediation
- Upgrade PAN-OS to a patched version as specified in the Palo Alto Networks security advisory.
- Restrict management interface access: Apply strict IP allowlisting so the management web interface is reachable only from dedicated, bastion-hosted administrative workstations.
- Segment the management plane: Ensure the management interface is not exposed to untrusted networks, including the internet or user segments.
- Enforce MFA: Require multi-factor authentication for all PAN-OS administrative accounts to reduce the likelihood of credential compromise.
- Principle of least privilege: Audit admin role assignments and remove unnecessary superuser privileges.
Detection
- Authentication logs: Monitor the PAN-OS management interface authentication logs for unusual login sources, off-hours access, or repeated failed authentication attempts followed by success.
- Command audit trails: If available, review executed CLI or XML-API commands for anomalous patterns such as unexpected file system access, reverse shells, or credential exfiltration.
- Network traffic: Watch for outbound connections initiated from the management plane to unexpected external destinations, which may indicate post-exploitation command-and-control activity.
- File integrity: Baseline critical system files and monitor for unauthorized modifications.
Assessment
This vulnerability is a high-impact, actively exploited privilege escalation flaw. Its presence on the CISA Known Exploited Vulnerabilities catalog and the EU exploited list, both dated 2024-11-18, confirms in-the-wild exploitation. The extremely high EPSS score (0.94766) further validates that threat actors are likely scanning for or actively targeting exposed PAN-OS management interfaces.
Key lessons:
- Management plane exposure is critical attack surface. Even "authenticated only" vulnerabilities on network appliances become severe when the management interface is internet-facing or broadly reachable.
- Admin != root should be enforced in architecture. When an application backend runs with full system privileges, any injection or authentication bypass immediately becomes total compromise. Vendors and operators should continue to push for privilege separation within appliance operating systems.
References
- https://security.paloaltonetworks.com/CVE-2024-9474
- https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
- https://github.com/k4nfr3/CVE-2024-9474
- https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-9474
Frequently asked questions
- What is CVE-2024-9474?
- A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Cloud NGFW and Prisma Access are not impacted by this vulnerability.
- How severe is CVE-2024-9474?
- CVE-2024-9474 has a CVSS 3.x base score of 7.2, rated high severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-9474 being actively exploited?
- Yes. CVE-2024-9474 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-11-18, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-9474?
- CVE-2024-9474 primarily affects Paloaltonetworks Pan-os. In total, 9 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-9474?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-9474 have an EU (EUVD) identifier?
- Yes. CVE-2024-9474 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-50354. It is also flagged as exploited in the EUVD (since 2024-11-18).
- When was CVE-2024-9474 published?
- CVE-2024-9474 was published on 2024-11-18 and last updated on 2026-06-17.
References
- https://security.paloaltonetworks.com/CVE-2024-9474
- https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
- https://github.com/k4nfr3/CVE-2024-9474
- https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-9474
Affected products (9)
- cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.12:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.12:h1:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:11.0.6:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:11.1.5:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:11.2.4:-:*:*:*:*:*:*
More vulnerabilities in Paloaltonetworks Pan-os
- CVE-2024-3400 — Critical (CVSS 10.0): A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto…
- CVE-2020-2021 — Critical (CVSS 10.0): When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider…
- CVE-2019-17440 — Critical (CVSS 10.0): Improper restriction of communications to Log Forwarding Card (LFC) on PA-7000 Series devices with second-generation…
- CVE-2012-6603 — Critical (CVSS 10.0): The web management UI in Palo Alto Networks PAN-OS before 3.1.12, 4.0.x before 4.0.10, and 4.1.x before 4.1.4 allows…
- CVE-2012-6601 — Critical (CVSS 10.0): The device-management command-line interface in Palo Alto Networks PAN-OS before 3.1.12, 4.0.x before 4.0.10, and 4.1.x…
- CVE-2012-6593 — Critical (CVSS 10.0): Palo Alto Networks PAN-OS before 3.1.10 and 4.0.x before 4.0.4 allows remote attackers to execute arbitrary commands…
All CVEs affecting Paloaltonetworks Pan-os →
Other CWE-78 (OS Command Injection) vulnerabilities
- CVE-2026-56004 — Critical (CVSS 10.0): A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by…
- CVE-2026-56415 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is…
- CVE-2026-56413 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens…
- CVE-2026-49869 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in…
- CVE-2026-49261 — Critical (CVSS 10.0): MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through…
- CVE-2026-10520 — Critical (CVSS 10.0): An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a…