CVE-2017-15944

What Is Palo Alto Networks PAN-OS?

Palo Alto Networks PAN-OS is the operating system powering Palo Alto Networks next-generation firewalls (NGFW) and Panorama management systems, widely deployed as network security infrastructure in enterprise, government, and critical infrastructure environments. PAN-OS firewalls sit at the network perimeter and inspect all traffic entering and leaving an organization. Compromising a PAN-OS firewall gives an attacker complete visibility into all network traffic, the ability to modify firewall policies to permit attacker traffic, and a privileged pivot point inside the network. The PAN-OS management web interface (exposed on port 443 or a dedicated management port) is the attack surface for CVE-2017-15944.

Overview

CVE-2017-15944 is a critical remote code execution vulnerability in Palo Alto Networks PAN-OS achieved by chaining multiple vulnerabilities — a directory traversal, OS command injection, and related flaws — that together enable unauthenticated code execution on the PAN-OS management interface. A remote attacker can exploit this chain without authentication to execute arbitrary commands as root on the underlying firewall operating system. Patched in PAN-OS 8.0.6, 7.1.14, and 6.1.19 (December 2017). CISA added CVE-2017-15944 to the KEV catalog in August 2022, reflecting ongoing targeting of Palo Alto Networks devices by sophisticated threat actors.

Affected Versions

Technical Details

Root Cause: Chained Vulnerabilities Leading to Unauthenticated RCE

CVE-2017-15944 encompasses a chain of multiple vulnerabilities in the PAN-OS management web interface that together allow unauthenticated root command execution:

Chain components:

1. Directory traversal: The management interface contains a path traversal vulnerability that allows reading arbitrary files from the PAN-OS filesystem without authentication
2. Session/credential exposure: The traversal can be used to read files containing session tokens, credentials, or other data needed for the next stage
3. OS command injection: A separate command injection vulnerability in the management interface allows injecting OS commands; combined with credentials or session tokens obtained via the traversal, this achieves authenticated command injection
4. Root execution: PAN-OS management operations execute with root privileges, so command injection achieves immediate root-level code execution

Complete firewall compromise: Root code execution on a PAN-OS firewall provides:

• Full visibility into all traffic the firewall inspects (including SSL-decrypted traffic)
• Ability to modify firewall rules, routing, and security policies
• Access to all management credentials and configurations stored on the device
• Persistent foothold via firewall configuration modification

Attack Characteristics

Discovery

Discovered by researchers and reported to Palo Alto Networks; patched in December 2017. The exploit chain was subsequently analyzed and weaponized by threat actors targeting exposed management interfaces.

Exploitation Context

• Nation-state firewall targeting: Palo Alto Networks firewalls are deployed at the perimeters of high-value government, defense, and critical infrastructure organizations; compromising a perimeter firewall is the ultimate network access goal for sophisticated adversaries — it provides traffic interception and rule manipulation capabilities that cannot be obtained through host-level exploitation
• Volt Typhoon and other APT campaigns: Chinese state-sponsored threat actors (particularly Volt Typhoon/BRONZE SILHOUETTE) have specifically targeted network edge devices including Palo Alto NGFW for persistent access to US critical infrastructure; CVE-2017-15944's long exploitation tail reflects these continuing campaigns
• Management interface exposure: Organizations that exposed PAN-OS management interfaces to the internet (contrary to Palo Alto Networks' best practice guidance) were directly exploitable; automated scanning for exposed PAN-OS management ports followed by automated exploitation was observed at scale
• CISA KEV (2022): Added August 2022 reflecting confirmed active exploitation by sophisticated threat actors years after the 2017 patch

Remediation

1. Upgrade PAN-OS — update to PAN-OS 6.1.19+, 7.1.14+, or 8.0.6+ to patch CVE-2017-15944. Given the 2022 KEV status, also apply all subsequent PAN-OS updates which address additional vulnerabilities in the management interface.

2. Restrict management interface access — immediately remove any internet exposure of the PAN-OS management interface (port 443 or dedicated management port); management access should only be available from a dedicated out-of-band management network or VPN:

   • Go to Device → Setup → Management → Management Interface Settings
   • Restrict "Permitted IP Addresses" to management network addresses only

3. Enable management interface IP restrictions — even on internal networks, restrict management access to a defined list of administrator workstations and management servers.

4. Monitor for management interface anomalies — alert on unexpected logins, configuration changes, or process executions initiated from the management interface; these may indicate post-exploitation activity.

5. Check for indicators of compromise — review PAN-OS logs for unexpected administrative actions, configuration exports, or management interface access from unexpected sources; if compromise is suspected, contact Palo Alto Networks support and consider device reimaging.