CVE-2024-0012 in PAN-OSinfo

Summary

by MITRE • 11/18/2024

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 .

The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended  best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .

This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software.

Cloud NGFW and Prisma Access are not impacted by this vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/13/2025

This vulnerability represents a critical authentication bypass flaw in Palo Alto Networks PAN-OS software that fundamentally undermines the security posture of affected firewalls. The issue allows unauthenticated attackers with network access to the management web interface to escalate privileges to administrator level, effectively granting them complete control over the device. This represents a significant deviation from standard security principles where authentication mechanisms should serve as the primary gatekeepers for administrative access. The vulnerability specifically affects PAN-OS versions 10.2, 11.0, 11.1, and 11.2, indicating a widespread impact across multiple major release branches that organizations have deployed in production environments. The flaw operates at the application layer authentication mechanism, potentially exploiting weaknesses in session management or credential validation processes that should normally prevent unauthorized access to administrative functions.

The technical exploitation of this vulnerability enables attackers to perform a wide range of malicious activities including but not limited to modifying firewall rules, accessing sensitive configuration data, installing malicious software, and potentially using the compromised device as a pivot point for further attacks within the network. This authentication bypass creates a pathway for attackers to bypass the standard administrative access controls that should normally require valid credentials before granting access to system configuration and management functions. The vulnerability's impact is particularly severe because it allows for immediate privilege escalation without requiring any prior access credentials, making it an attractive target for automated exploitation tools. The flaw essentially removes the authentication barrier that should exist between network users and administrative functions, creating a direct path to complete system compromise. This vulnerability aligns with CWE-287 which addresses improper authentication issues and can be categorized under ATT&CK technique T1078 for valid accounts and T1566 for social engineering, though the latter is less applicable since no social engineering is required for exploitation.

Organizations affected by this vulnerability face significant operational risks including potential data breaches, unauthorized network modifications, and complete loss of firewall control. The attack surface is particularly concerning because it affects the management interface, which typically serves as the primary point of administrative access for network security policies and configurations. The vulnerability's exploitation can lead to unauthorized access to sensitive network data, modification of security policies, and potential use of the compromised firewall as a staging point for attacks against other network segments. When combined with other vulnerabilities like CVE-2024-9474, the risk profile escalates significantly as attackers can potentially chain these vulnerabilities to achieve more extensive compromise. The impact extends beyond immediate configuration changes to include potential long-term network security degradation and regulatory compliance violations. Security teams must immediately assess their exposure and implement mitigation strategies to prevent unauthorized access to management interfaces.

The recommended mitigation approach focuses on network segmentation and access control restrictions, emphasizing the importance of limiting management interface access to trusted internal IP addresses. This aligns with industry best practices for securing administrative access points and represents a defense-in-depth strategy that reduces the attack surface for this specific vulnerability. Organizations should implement strict access control lists, utilize network access control systems, and ensure that management interfaces are not directly exposed to untrusted networks. The restriction of management access to specific IP ranges serves as a crucial compensating control that can significantly reduce the risk even if the underlying authentication bypass vulnerability remains unpatched. This mitigation approach reflects standard network security practices and aligns with NIST cybersecurity framework recommendations for protecting critical infrastructure components. Additionally, organizations should implement network monitoring to detect unauthorized access attempts to management interfaces and maintain comprehensive audit logs to track any suspicious activities that might indicate exploitation attempts. The vulnerability's limited scope to specific PAN-OS versions also means that organizations running different software versions are not affected, though they should still maintain vigilance regarding other potential security issues in their network infrastructure.

Responsible

Palo Alto

Reservation

11/09/2023

Disclosure

11/18/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.99698

KEV

yes

Activities

very low

Campaigns

2 (confirmed)

Sources

Want to know what is going to be exploited?

We predict KEV entries!