CVE-2024-9474

CVE-2024-9474 is a high-severity vulnerability in Paloaltonetworks Pan-os with a CVSS 3.x base score of 7.2. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-11-18). The underlying weakness is classified as CWE-78.

Key facts

Description

A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

CVE-2024-9474: PAN-OS Management Interface Privilege Escalation (CWE-78)

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2024-9474
Vendor Palo Alto Networks
Product PAN-OS
CWE CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS 3.1 7.2 (HIGH) — AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 6.9 (MEDIUM)
EPSS 0.94766 (99.85th percentile)
CISA KEV Listed (2024-11-18)
EU Exploited Yes (since 2024-11-18)
Published 2024-11-18

Summary

A privilege escalation vulnerability exists in Palo Alto Networks PAN-OS software that allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

Background

PAN-OS is the operating system that powers Palo Alto Networks' next-generation firewalls. The management web interface provides administrators with a browser-based console for device configuration, policy management, and monitoring. Because this interface operates at a high trust boundary within the network architecture, any vulnerability that bypasses role-based access controls carries disproportionate risk. This flaw was disclosed alongside related issues and has drawn significant attention from both researchers and threat actors.

Root Cause

CWE-78: OS Command Injection

The underlying issue stems from improper neutralization of user-supplied input before it is passed to underlying operating system shell commands within the management web interface. An authenticated administrator can inject shell metacharacters or command separators into a parameter that the backend executes with elevated privileges. Because the management service runs with root-level permissions on the appliance, successful injection results in arbitrary command execution as root rather than as a restricted administrative user.

Impact

The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) scores this vulnerability at 7.2 (HIGH). The network attack vector means the management interface must be reachable, but once an attacker obtains valid administrative credentials or compromises an admin account, exploitation is straightforward (low attack complexity). The impact triad is HIGH across confidentiality, integrity, and availability — an attacker with root access can exfiltrate configuration files, modify security policies, install persistence mechanisms, or render the device inoperable.

With an EPSS score of 0.94766, this vulnerability sits in the top 0.15% of CVEs by predicted exploitation probability, strongly indicating active or imminent weaponization.

Exploitation Walkthrough

Ethics caveat: The following description is provided for defensive awareness only. It explains the attack surface and prerequisites conceptually; no weaponized exploit code is included.

Prerequisites:

  • Network reachability to the PAN-OS management web interface (typically TCP/443 on the management plane)
  • Valid PAN-OS administrative credentials (or a compromised admin session)

Attack flow (conceptual):

  1. The attacker authenticates to the management web interface using legitimate or stolen admin credentials.
  2. The attacker navigates to a functionality that accepts user input and passes it to a backend shell command without adequate sanitization.
  3. By supplying input containing shell metacharacters (for example, command chaining operators), the attacker interrupts the intended command and injects arbitrary operating system commands.
  4. Because the backend process runs as root, the injected commands execute with full system privileges, granting the attacker complete control over the firewall appliance.

Defensive value: This is not a remote, unauthenticated exploit — it requires admin access. However, it collapses the security boundary between "administrator" and "root operator," meaning a compromised admin account or insider threat becomes a full device compromise. Organizations should treat admin credentials for PAN-OS management interfaces as Tier 0 assets.

Affected and Patched Versions

According to NVD CPE data, the following PAN-OS versions are listed as affected:

  • PAN-OS 10.1.14 (and hotfix revisions h2, h4)
  • PAN-OS 10.2.12 (and hotfix revision h1)
  • PAN-OS 11.0.6
  • PAN-OS 11.1.5
  • PAN-OS 11.2.4

Note: The full range of affected versions and corresponding patched releases is documented in the official Palo Alto Networks security advisory. Administrators should consult the vendor bulletin (see References) to confirm whether their specific maintenance release is vulnerable and to obtain the correct patched version.

Remediation

  1. Upgrade PAN-OS to a patched version as specified in the Palo Alto Networks security advisory.
  2. Restrict management interface access: Apply strict IP allowlisting so the management web interface is reachable only from dedicated, bastion-hosted administrative workstations.
  3. Segment the management plane: Ensure the management interface is not exposed to untrusted networks, including the internet or user segments.
  4. Enforce MFA: Require multi-factor authentication for all PAN-OS administrative accounts to reduce the likelihood of credential compromise.
  5. Principle of least privilege: Audit admin role assignments and remove unnecessary superuser privileges.

Detection

  • Authentication logs: Monitor the PAN-OS management interface authentication logs for unusual login sources, off-hours access, or repeated failed authentication attempts followed by success.
  • Command audit trails: If available, review executed CLI or XML-API commands for anomalous patterns such as unexpected file system access, reverse shells, or credential exfiltration.
  • Network traffic: Watch for outbound connections initiated from the management plane to unexpected external destinations, which may indicate post-exploitation command-and-control activity.
  • File integrity: Baseline critical system files and monitor for unauthorized modifications.

Assessment

This vulnerability is a high-impact, actively exploited privilege escalation flaw. Its presence on the CISA Known Exploited Vulnerabilities catalog and the EU exploited list, both dated 2024-11-18, confirms in-the-wild exploitation. The extremely high EPSS score (0.94766) further validates that threat actors are likely scanning for or actively targeting exposed PAN-OS management interfaces.

Key lessons:

  1. Management plane exposure is critical attack surface. Even "authenticated only" vulnerabilities on network appliances become severe when the management interface is internet-facing or broadly reachable.
  2. Admin != root should be enforced in architecture. When an application backend runs with full system privileges, any injection or authentication bypass immediately becomes total compromise. Vendors and operators should continue to push for privilege separation within appliance operating systems.

References

Frequently asked questions

What is CVE-2024-9474?
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Cloud NGFW and Prisma Access are not impacted by this vulnerability.
How severe is CVE-2024-9474?
CVE-2024-9474 has a CVSS 3.x base score of 7.2, rated high severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2024-9474 being actively exploited?
Yes. CVE-2024-9474 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-11-18, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-9474?
CVE-2024-9474 primarily affects Paloaltonetworks Pan-os. In total, 9 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2024-9474?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-9474 have an EU (EUVD) identifier?
Yes. CVE-2024-9474 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-50354. It is also flagged as exploited in the EUVD (since 2024-11-18).
When was CVE-2024-9474 published?
CVE-2024-9474 was published on 2024-11-18 and last updated on 2026-06-17.

References

Affected products (9)

More vulnerabilities in Paloaltonetworks Pan-os

All CVEs affecting Paloaltonetworks Pan-os →

Other CWE-78 (OS Command Injection) vulnerabilities

Browse all CWE-78 (OS Command Injection) vulnerabilities →