cbcvebase.
CVE-2024-9474
published 2024-11-18

CVE-2024-9474: A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform…

PriorityP193high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-12-09
Exploited in the wild
EPSS
94.77%
99.8th percentile
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

Affected

49 ranges· showing 25
VendorProductVersion rangeFixed in
palo_alto_networkspan-os>= 10.1.0 < 10.1.14-h610.1.14-h6
palo_alto_networkspan-os>= 10.2.0 < 10.2.12-h210.2.12-h2
palo_alto_networkspan-os>= 11.0.0 < 11.0.6-h111.0.6-h1
palo_alto_networkspan-os>= 11.1.0 < 11.1.5-h111.1.5-h1
palo_alto_networkspan-os>= 11.2.0 < 11.2.4-h111.2.4-h1
paloaltocloud_ngfw
paloaltocortex_xpanse
paloaltocortex_xsiam
paloaltoglobalprotect
paloaltopan-os
paloaltopanorama
paloaltoprisma_access
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os

Detection & IOCsextracted from sources · hover to see the quote

hash3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668
  • Monitor for PHP web shell activity on PAN-OS firewalls; the observed web shell accepts POST parameters 'b' (password check: 'iUqPd') and 'x' (command to execute via system()). Web shell payloads recovered from compromised firewalls were obfuscated.
  • Alert on the specific User-Agent string 'Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv 11.0) like Gecko' in PAN-OS management web interface logs, as it was observed during multiple actor exploit attempts for CVE-2024-0012/CVE-2024-9474.
  • CVE-2024-9474 is chained with CVE-2024-0012 (auth bypass) and CVE-2025-0111 (file read) in active exploit chains targeting PAN-OS management web interfaces. Detect sequential exploitation of these three CVEs together.
  • Post-exploitation activity includes interactive command execution, dropping web shells, open-source C2 tools (e.g., Sliver implants), and crypto miners on compromised PAN-OS firewalls.
  • Wiz observed attackers deploying web shells and Sliver implants on vulnerable PAN-OS appliances just days after PoCs went public following CVE-2024-0012 and CVE-2024-9474 disclosure.
  • A complete and continuously updated list of attacker IP addresses observed scanning/exploiting CVE-2024-0012 and CVE-2024-9474 is maintained at the Unit42-Timely-Threat-Intel GitHub repository.
  • ·Cloud NGFW and Prisma Access are not affected by CVE-2024-9474; only on-premises PAN-OS deployments are impacted.
  • ·Risk of exploitation is greatly reduced if the PAN-OS management web interface is restricted to trusted internal IP addresses only and not exposed to the internet.
  • ·CVE-2024-9474 requires an authenticated PAN-OS administrator session (obtained e.g. via CVE-2024-0012 auth bypass) to exploit; it is a privilege escalation, not a standalone unauthenticated RCE.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Red
vulncheck9.3CRITICAL
cisa6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.