cbcvebase.
CVE-2019-1579
published 2019-07-19

CVE-2019-1579: Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect…

PriorityP190high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-07-10
Exploited in the wild
EPSS
39.32%
98.4th percentile
Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect Gateway Interface enabled may allow an unauthenticated remote attacker to execute arbitrary code.

Affected

5 ranges
VendorProductVersion rangeFixed in
palo_alto_networks_globalprotect_portalgateway_interface
paloaltopan-os
paloaltonetworkspan-os< 7.1.197.1.19
paloaltonetworkspan-os>= 8.0.0 < 8.0.128.0.12
paloaltonetworkspan-os>= 8.1.0 < 8.1.38.1.3

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2019-1579 affects PAN-OS GlobalProtect Portal and GlobalProtect Gateway interface; monitor for unauthenticated RCE attempts against these interfaces on PAN-OS 7.1.18 and earlier, 8.0.11-h1 and earlier, and 8.1.2 and earlier
  • CVE-2019-1579 has been exploited in the wild by nation-state APT actors (Iranian Fox Kitten campaign, Chinese APT5) and ransomware groups; prioritize detection on internet-facing GlobalProtect Portal/Gateway endpoints
  • NSA warned on October 7, 2019 that CVE-2019-1579 is frequently exploited by APT actors; treat any unpatched GlobalProtect Portal/Gateway as actively targeted
  • ·PAN-OS 9.0 is not affected by CVE-2019-1579; only versions 7.1.18 and earlier, 8.0.11-h1 and earlier, and 8.1.2 and earlier are vulnerable
  • ·Exploitation requires GlobalProtect Portal or GlobalProtect Gateway Interface to be enabled; if neither is enabled, the attack surface does not exist
  • ·Workaround (if patching is not immediately possible): update to content release 8173 or later AND confirm threat prevention is enabled and enforced on traffic passing through the GlobalProtect portal and GlobalProtect Gateway interface

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
cisa8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.