Palo Alto PAN-OS, privilege escalation in management web interface

Overview

CVE-2024-9474 is a high-severity privilege escalation vulnerability in Palo Alto Networks PAN-OS software. The flaw allows an authenticated PAN-OS administrator with access to the management web interface to execute arbitrary commands with root privileges on the firewall. While the vulnerability requires authentication on its own, it becomes critically dangerous when chained with CVE-2024-0012, an authentication bypass vulnerability affecting the same management interface. This combination enables unauthenticated, network-reachable remote code execution (RCE) as root.

Palo Alto Networks and Unit 42 confirmed active exploitation of this vulnerability chain in the wild in November 2024.

Technical Details

The vulnerability exists in the management web interface of PAN-OS. An authenticated administrator can leverage this flaw to escalate privileges from a standard administrative context to root-level access on the underlying operating system. The technical mechanism allows arbitrary command execution as root through the web UI.

When combined with CVE-2024-0012 (authentication bypass), attackers can exploit this vulnerability without any prior authentication, as long as the management interface is network-reachable. Threat actors observed in the wild used this exploit chain to deploy webshells and credential-stealing payloads on management planes exposed to the Internet.

Impact

The impact of this vulnerability is severe. Palo Alto firewalls typically serve as the primary security perimeter for organizations. Successful exploitation grants attackers:

• Full root access to the firewall
• Access to VPN keys and certificates
• Active Directory bind credentials
• Direct route into the internal LAN
• Ability to intercept, redirect, or manipulate network traffic
• Capability to add deny-all rules, locking out legitimate defenders

For Managed Service Providers (MSPs), this vulnerability poses an existential threat to customer security postures.

Mitigation

1. Patch immediately to the fixed PAN-OS versions specified in Palo Alto advisory PAN-SA-2024-0015
2. Remove Internet exposure of the management interface, restrict access to dedicated admin jump hosts only
3. Treat any firewall whose management interface was Internet-exposed as potentially compromised
4. Rotate all credentials and review configurations for unauthorized changes

Detection

1. Run Palo Alto's official CVE-2024-9474 Indicator of Compromise (IOC) sweep on all firewalls
2. Review management interface access logs for suspicious authentication attempts or command execution
3. Search for unauthorized webshells or unexpected files on the management plane
4. Monitor for credential exfiltration or unauthorized configuration changes