cbcvebase.
CVE-2020-2040
published 2020-09-09

CVE-2020-2040: A buffer overflow vulnerability in PAN-OS allows an unauthenticated attacker to disrupt system processes and potentially execute arbitrary code with root…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.94%
89.1th percentile
A buffer overflow vulnerability in PAN-OS allows an unauthenticated attacker to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to the Captive Portal or Multi-Factor Authentication interface. This issue impacts: All versions of PAN-OS 8.0; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 9.1 versions earlier than PAN-OS 9.1.3.

Affected

9 ranges
VendorProductVersion rangeFixed in
palo_alto_networkspan-os
palo_alto_networkspan-os>= 8.1 < 8.1.158.1.15
palo_alto_networkspan-os>= 9.0 < 9.0.99.0.9
palo_alto_networkspan-os>= 9.1 < 9.1.39.1.3
paloaltopan-os
paloaltonetworkspan-os8.0.0 – 8.0.20
paloaltonetworkspan-os>= 8.1.0 < 8.1.158.1.15
paloaltonetworkspan-os>= 9.0.0 < 9.0.99.0.9
paloaltonetworkspan-os>= 9.1.0 < 9.1.39.1.3

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is exploitable only when Captive Portal or Multi-Factor Authentication (MFA) interface is enabled on PAN-OS; detection/hunting should focus on anomalous or malformed requests to those interfaces from unauthenticated sources.
  • Palo Alto Networks Threat Prevention content update version 8317 contains signatures that block exploitation of CVE-2020-2040; verify content version is 8317 or later and signatures are enabled.
  • Qualys QID 13975 (signature version VULNSIGS-2.4.986-2 and above, authenticated scan) detects CVE-2020-2040 on PAN-OS hosts.
  • The vulnerability does NOT affect the GlobalProtect VPN or the PAN-OS management web interfaces; scope detection efforts to Captive Portal / MFA interfaces only.
  • ·PAN-OS 8.0 (all versions) is end-of-life and fully affected; no patched release exists for that branch — only mitigation via content update 8317 or upgrade to a supported branch.
  • ·The attack surface is conditional: the vulnerability is only present when Captive Portal or MFA interface is explicitly enabled in the PAN-OS configuration.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.