IRONSMITHINTEL
HIGHCVSS7.2
|
Actively Exploited
|CISA KEV|CVE-2024-9474|Auth: high — administrative privileges|Reboot: required|Manual only

Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability (CVE-2024-9474)

Palo Alto Networks PAN-OS contains an OS command injection vulnerability that allows for privilege escalation through the web-based management interface for several PAN products, including firewalls and VPN concentrators.

Published Nov 18, 2024 · Updated May 17, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker, with administrative privileges, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. CISA has confirmed use of this vulnerability in known ransomware campaigns — treat as high priority for remediation. Federal agencies are required to remediate by 2024-12-09 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a OS Command Injection (CWE-78) vulnerability in Palo Alto Networks PAN-OS. A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Cloud NGFW and Prisma Access are not impacted by this vulnerability. Exploitation requires remote network access, low attack complexity, an administrative account, and no user interaction required.

Am I affected?Quick check

Probably yes if any of these apply:

Network Security Team
Firewall Administrators
IT Security
Running pan-os: 10.1.0 ≤ v < 10.1.14, 10.2.0 ≤ v < 10.2.12, 11.0.0 ≤ v < 11.0.6, 11.1.0 ≤ v < 11.1.5, 11.2.0 ≤ v < 11.2.4, 10.1.14, 10.2.12, 11.0.6, 11.1.5, 11.2.4
Real-world incidentsWhat we've seen

Used in known ransomware campaigns. Threat-research write-up: https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/

How to patch

Manual remediation steps

1
Identify affected hosts: query inventory for network-security installs in scope.
2
Apply the vendor security update referenced in CVE-2024-9474's advisory. No specific KB/version is encoded yet — consult the linked MSRC/vendor URL.
3
Verify the fix per the vendor's published verification steps.
4
Document the remediation in your change ticket and re-scan with your vulnerability scanner to confirm closure.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2024-9474MSRC AdvisoryNVDVendor Advisory