CVE-2019-1579
published 2019-07-19CVE-2019-1579: Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect…
PriorityP190high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-07-10
Exploited in the wild
EPSS
39.32%
98.4th percentile
Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect Gateway Interface enabled may allow an unauthenticated remote attacker to execute arbitrary code.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks_globalprotect_portal | gateway_interface | — | — |
| paloalto | pan-os | — | — |
| paloaltonetworks | pan-os | < 7.1.19 | 7.1.19 |
| paloaltonetworks | pan-os | >= 8.0.0 < 8.0.12 | 8.0.12 |
| paloaltonetworks | pan-os | >= 8.1.0 < 8.1.3 | 8.1.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2019-1579 affects PAN-OS GlobalProtect Portal and GlobalProtect Gateway interface; monitor for unauthenticated RCE attempts against these interfaces on PAN-OS 7.1.18 and earlier, 8.0.11-h1 and earlier, and 8.1.2 and earlier ↗
- →CVE-2019-1579 has been exploited in the wild by nation-state APT actors (Iranian Fox Kitten campaign, Chinese APT5) and ransomware groups; prioritize detection on internet-facing GlobalProtect Portal/Gateway endpoints ↗
- →NSA warned on October 7, 2019 that CVE-2019-1579 is frequently exploited by APT actors; treat any unpatched GlobalProtect Portal/Gateway as actively targeted ↗
- ·PAN-OS 9.0 is not affected by CVE-2019-1579; only versions 7.1.18 and earlier, 8.0.11-h1 and earlier, and 8.1.2 and earlier are vulnerable ↗
- ·Exploitation requires GlobalProtect Portal or GlobalProtect Gateway Interface to be enabled; if neither is enabled, the attack surface does not exist ↗
- ·Workaround (if patching is not immediately possible): update to content release 8173 or later AND confirm threat prevention is enabled and enforced on traffic passing through the GlobalProtect portal and GlobalProtect Gateway interface ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
cisa8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3w36-wf5x-rjfv: Remote Code Execution in PAN-OS 7
ghsa_unreviewed·2022-05-24
CVE-2019-1579 [HIGH] CWE-134 GHSA-3w36-wf5x-rjfv: Remote Code Execution in PAN-OS 7
Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect Gateway Interface enabled may allow an unauthenticated remote attacker to execute arbitrary code.
VulnCheck
Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
vulncheck·2019·CVSS 8.1
CVE-2019-1579 [HIGH] CWE-134 Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
Remote Code Execution in PAN-OS with GlobalProtect Portal or GlobalProtect Gateway Interface enabled.
Affected: Palo Alto Networks PAN-OS
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities; https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf; https://www.dragos.com/wp-content/uploads/The-ICS-Threat-Landscape.pdf; https://www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum/; https://www.esentire.com/security-advisories/ransomware-groups-exploit-remote-access-services; https://www.clearskysec.com/wp-content/uploads/20
CISA
Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
cisa·2022-01-10·CVSS 8.1
CVE-2019-1579 [HIGH] CWE-134 Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
Vulnerability: Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
Affected: Palo Alto Networks PAN-OS
Remote Code Execution in PAN-OS with GlobalProtect Portal or GlobalProtect Gateway Interface enabled.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-1579
Remediation Due Date: 2022-07-10
Palo Alto
Remote Code Execution in GlobalProtect Portal/Gateway Interface
vendor_paloalto·2019-07-18·CVSS 8.1
CVE-2019-1579 [HIGH] CWE-20 Remote Code Execution in GlobalProtect Portal/Gateway Interface
Remote Code Execution in GlobalProtect Portal/Gateway Interface
Palo Alto Networks is aware of the reported remote code execution (RCE) vulnerability in its GlobalProtect portal and GlobalProtect Gateway interface products. The issue is already addressed in prior maintenance releases. (Ref: CVE-2019-1579)
Successful exploitation of this issue allows an unauthenticated attacker to execute arbitrary code.
This issue affects PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier releases. PAN-OS 9.0 is not affected.
Affected products: PAN-OS
Solution: PAN-OS 7.1.19 and later, PAN-OS 8.0.12 and later, and PAN-OS 8.1.3 and later releases.
Workaround: If you have not already upgraded to the available updates listed above and cannot do so now, we recommend that
Suricata
ET EXPLOIT Possible Palo Alto SSL VPN sslmgr Format String Vulnerability (Inbound) (CVE-2019-1579)
suricata·2019-07-18·CVSS 8.1
CVE-2019-1579 [HIGH] ET EXPLOIT Possible Palo Alto SSL VPN sslmgr Format String Vulnerability (Inbound) (CVE-2019-1579)
ET EXPLOIT Possible Palo Alto SSL VPN sslmgr Format String Vulnerability (Inbound) (CVE-2019-1579)
Rule: alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Palo Alto SSL VPN sslmgr Format String Vulnerability (Inbound) (CVE-2019-1579)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sslmgr"; endswith; nocase; http.request_body; content:"scep-profile-name=%"; startswith; fast_pattern; pcre:"/^[0-9]+/R"; reference:url,blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html; classtype:attempted-admin; sid:2027723; rev:6; metadata:attack_target Server, created_at 2019_07_18, cve CVE_2019_1579, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated
No public exploits indexed.
Tenable
CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the Wild
blogs_tenable·2024-04-12·CVSS 10.0
[CRITICAL] CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2020-5135: Critical SonicWall VPN Portal Stack-based Buffer Overflow Vulnerability
blogs_tenable·2020-10-15·CVSS 9.8
[CRITICAL] CVE-2020-5135: Critical SonicWall VPN Portal Stack-based Buffer Overflow Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2020-2021: Palo Alto Networks PAN-OS Vulnerable to Critical Authentication Bypass Vulnerability
blogs_tenable·2020-06-29·CVSS 10.0
[CRITICAL] CVE-2020-2021: Palo Alto Networks PAN-OS Vulnerable to Critical Authentication Bypass Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Critical Vulnerabilities You Need to Find and Fix to Protect the Remote Workforce
blogs_tenable·2020-04-13
Critical Vulnerabilities You Need to Find and Fix to Protect the Remote Workforce
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Management (CSPM)
Compliance
Cyber insurance
Data Security Posture Management (DSPM)
Google Cloud security
Infrastructure as Code (IaC) security
Kubernetes Security Pos
Tenable
CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the Wild
blogs_tenable·2019-08-27·CVSS 9.1
[CRITICAL] CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
29th July – Threat Intelligence Bulletin
blogs_checkpoint·2019-07-29·CVSS 8.1
CVE-2019-1579 [HIGH] 29th July – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 29th July – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 29th July 2019, please download our Threat Intelligence Bulletin
TOP ATTACKS AND BREACHES
City Power, the electricity provider in the city of Johannesburg, South Africa, has suffered serious
disruptions after a Ransomware attack . The attack prevented prepaid customers from buying electricity
units and access City Power’s official website, eventually leaving them without electricity power.
New Android Spyware
Tenable
CVE-2019-1579: Critical Pre-Authentication Vulnerability in Palo Alto Networks GlobalProtect SSL VPN Disclosed
blogs_tenable·2019-07-19·CVSS 8.1
[HIGH] CVE-2019-1579: Critical Pre-Authentication Vulnerability in Palo Alto Networks GlobalProtect SSL VPN Disclosed
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Recorded Future
Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
blogs_recorded_future
Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
# Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
In response to the COVID-19 pandemic, many organizations have shifted to working from home for the foreseeable future — this means that organizations will have a largely (or entirely) remote workforce for the first time.
This creates a situation that is ripe for cybercriminals and nation-state actors to exploit. As we have observed with the rapid adoption of COVID-19-themed scams and attacks against the Olympics, threat actors — both nation-state and cybercriminal — are quick to exploit new and evolving situations.
For security teams, the sudden change in an organization’s network topology means a vastly expanded attack surface with little time to adapt to the new reality. For employees, generally,
Recorded Future
Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
blogs_recorded_future
Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
## Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
In response to the COVID-19 pandemic, many organizations have shifted to working from home for the foreseeable future — this means that organizations will have a largely (or entirely) remote workforce for the first time.
This creates a situation that is ripe for cybercriminals and nation-state actors to exploit. As we have observed with the rapid adoption of COVID-19-themed scams and attacks against the Olympics , threat actors — both nation-state and cybercriminal — are quick to exploit new and evolving situations.
For security teams, the sudden change in an organization’s network topology means a vastly expanded attack surface with little time to adapt to the new reality. For employees, generally
Greynoiseio
NoiseLetter January 2026
blogs_greynoiseio
NoiseLetter January 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2019-10431 jenkins-script-security: Sandbox bypass vulnerability in Script Security Plugin
bugzilla·2019-10-22·CVSS 9.9
CVE-2019-10431 [CRITICAL] CVE-2019-10431 jenkins-script-security: Sandbox bypass vulnerability in Script Security Plugin
CVE-2019-10431 jenkins-script-security: Sandbox bypass vulnerability in Script Security Plugin
Sandbox protection in Script Security Plugin could be circumvented through default parameter expressions in constructors. This allowed attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins master JVM.
References:
https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1579
Discussion:
Created jenkins-script-security-plugin tracking bugs for this issue:
Affects: fedora-all [bug 1764391]
---
This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.2
Via RHSA-2019:4097 https://access.redhat.com/errata/RHSA-2019:4097
---
This bug is now closed. Further updates for individual products will be ref
http://www.securityfocus.com/bid/109310https://devco.re/blog/2019/07/17/attacking-ssl-vpn-part-1-PreAuth-RCE-on-Palo-Alto-GlobalProtect-with-Uber-as-case-study/https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010https://security.paloaltonetworks.com/CVE-2019-1579http://www.securityfocus.com/bid/109310https://devco.re/blog/2019/07/17/attacking-ssl-vpn-part-1-PreAuth-RCE-on-Palo-Alto-GlobalProtect-with-Uber-as-case-study/https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010https://security.paloaltonetworks.com/CVE-2019-1579https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1579
2019-07-19
Published
2022-01-10
Added to CISA KEV
Exploited in the wild