cbcvebase.
CVE-2020-2038
published 2020-09-09

CVE-2020-2038: An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root…

PriorityP272high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
86.09%
99.7th percentile
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts: PAN-OS 9.0 versions earlier than 9.0.10; PAN-OS 9.1 versions earlier than 9.1.4; PAN-OS 10.0 versions earlier than 10.0.1.

Affected

7 ranges
VendorProductVersion rangeFixed in
palo_alto_networkspan-os>= 10.0 < 10.0.110.0.1
palo_alto_networkspan-os>= 9.0 < 9.0.109.0.10
palo_alto_networkspan-os>= 9.1 < 9.1.49.1.4
paloaltopan-os
paloaltonetworkspan-os>= 10.0.0 < 10.0.110.0.1
paloaltonetworkspan-os>= 9.0.0 < 9.0.109.0.10
paloaltonetworkspan-os>= 9.1.0 < 9.1.49.1.4

Detection & IOCsextracted from sources · hover to see the quote

url/api?cmd=&type=op&key=
otherUnique Threat ID 59954
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PAN-OS OS Command Injecton Attempt Inbound (CVE-2020-2038)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?cmd="; content:"|3c 21 5b|CDATA|5b 7c 7c|"; fast_pattern; reference:cve,2020-2038; classtype:attempted-admin; sid:2038688; rev:2; metadata:attack_target Server, created_at 2022_08_31, cve CVE_2020_2038, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|3c 21 5b|CDATA|5b 7c 7c|
  • Exploit targets the PAN-OS management web interface API endpoint via HTTP GET request with 'cmd' and 'type=op' parameters; look for GET requests to /api with query parameters cmd=, type=op, and key= on management interface traffic.
  • The exploit injects OS commands via the 'cmd' URI parameter using CDATA and pipe (||) sequences; the byte pattern |3c 21 5b|CDATA|5b 7c 7c| in the URI is a high-confidence indicator of exploitation attempt.
  • Palo Alto's own IPS Unique Threat ID 59954 can be enabled on GlobalProtect portal/gateway/VPN traffic as a compensating control to block exploitation attempts.
  • Metasploit module exists for this vulnerability (linux/http/panos_op_cmd_exec); monitor for Metasploit-characteristic HTTP patterns against PAN-OS management interfaces.
  • ·Exploitation requires valid administrator credentials; this is an authenticated vulnerability, so stolen or weak admin credentials are a prerequisite attack vector.
  • ·The attack surface is the PAN-OS management web interface; restricting network access to this interface per Palo Alto best practices significantly reduces exposure.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.