What is Palo Alto Networks PAN-OS?
Palo Alto Networks PAN-OS is the operating system powering Palo Alto's next-generation firewalls (NGFW) and Panorama network management appliances. PAN-OS is one of the most widely deployed enterprise firewall platforms globally, handling network traffic inspection, URL filtering, threat prevention, and VPN services for thousands of enterprises and government agencies. Palo Alto firewalls are high-value targets both for direct exploitation and for being abused as amplification vectors in distributed denial-of-service attacks.
Overview
CVE-2022-0028 is a reflected amplification denial-of-service vulnerability (CWE-406, CVSS 8.6) in Palo Alto Networks PAN-OS. A URL filtering policy misconfiguration in certain PAN-OS versions allows an unauthenticated network attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks against third-party targets. Rather than compromising the firewall itself, the attacker abuses the PAN-OS device as a DDoS reflector — sending spoofed TCP packets to the firewall that it then forwards in amplified form to a victim. This is notable because it exploits enterprise security infrastructure to attack other organizations. CVSS 8.6 (scope changed: affects third parties, not the firewall owner directly).
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| PAN-OS | 10.2 before 10.2.2-h2 | 10.2.2-h2 and later |
| PAN-OS | 10.1 before 10.1.6-h6 | 10.1.6-h6 and later |
| PAN-OS | 10.0 before 10.0.11-h1 | 10.0.11-h1 and later |
| PAN-OS | 9.1 before 9.1.14-h4 | 9.1.14-h4 and later |
| PAN-OS | 9.0 before 9.0.16-h3 | 9.0.16-h3 and later |
| PAN-OS | 8.1 before 8.1.23-h1 | 8.1.23-h1 and later |
The vulnerability requires specific URL filtering policy configurations to be exploitable.
Technical Details
The vulnerability (CWE-406: Insufficient Control of Network Message Volume — "Channel Accessible by Non-Endpoint") exists in PAN-OS's URL filtering component. In certain policy configurations, PAN-OS generates TCP responses to incoming connection requests that can be redirected to a third-party victim through IP address spoofing.
An attacker sends TCP SYN packets to the vulnerable PAN-OS device with the source IP address spoofed to the IP of the intended victim. The PAN-OS URL filtering component, when processing these connections in the specific vulnerable configuration, generates a TCP response (such as a RST or data packet) that is significantly larger than the incoming SYN — creating a traffic amplification effect. These amplified responses are directed to the spoofed source IP (the victim), resulting in a TCP reflected denial-of-service attack.
The attacker can use many compromised systems or a single source to send high volumes of spoofed SYN packets, causing the victim to be overwhelmed by the amplified response traffic generated by the PAN-OS devices. The firewall operator is not directly impacted (the device is not compromised), but their device becomes an unwitting participant in an attack against a third party.
Discovery
Discovered and reported to Palo Alto Networks through their security disclosure process. The vulnerability was particularly notable because it could be used to abuse widely deployed enterprise security infrastructure for offensive DDoS purposes.
Exploitation Context
The abuse of network security devices as DDoS amplifiers represents a distinct threat model from traditional exploitation:
- The firewall owner may be unaware their device is being used in attacks against others
- Attackers can leverage the large installed base of PAN-OS firewalls to generate substantial aggregate attack traffic
- Organizations using affected PAN-OS versions may face legal or reputational risk if their infrastructure is used in attacks
- CISA's KEV addition indicates confirmed exploitation — PAN-OS devices were observed being actively abused for reflected DDoS attacks
The scope changed CVSS metric reflects that the confidentiality, integrity, and availability impact falls on the attack victims rather than the PAN-OS operator.
Remediation
- Apply PAN-OS patches: Update to the fixed PAN-OS version for your branch per Palo Alto's advisory.
- Review URL filtering policies: As a workaround prior to patching, review URL filtering policies. Palo Alto's advisory provides specific configuration guidance to disable the vulnerable behavior in URL filtering policy.
- Enable BCP38 (anti-spoofing): If your network supports it, enable BCP38 egress filtering on your internet-facing router to prevent spoofed packets from your network from being used in similar reflected amplification attacks.
- Monitor for abuse: Review PAN-OS traffic logs for unusual traffic patterns that may indicate your device is being used as a reflector — unexpected high volumes of outbound TCP traffic to unfamiliar destinations.
- Upgrade to current PAN-OS releases: Maintain PAN-OS on a current supported release to receive ongoing security fixes.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2022-0028 |
| Vendor / Product | Palo Alto Networks — PAN-OS |
| NVD Published | 2022-08-10 |
| NVD Last Modified | 2025-11-04 |
| CVSS 3.1 Score | 8.6 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H |
| Severity | HIGH |
| CWE | CWE-406 find similar ↗ |
| CISA KEV Added | 2022-08-22 |
| CISA KEV Deadline | 2022-09-12 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2022-08-10 | Palo Alto Networks published advisory and patches; CVE published |
| 2022-08-22 | CISA added to KEV |
| 2022-09-12 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2022-0028 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Palo Alto Networks Security Advisory CVE-2022-0028 | Vendor Advisory |