What is PAN-OS?
Palo Alto Networks PAN-OS is the operating system running on Palo Alto Networks next-generation firewalls (NGFWs) and Panorama centralized management servers, deployed at the network perimeter of enterprises, government agencies, and critical infrastructure worldwide. The PAN-OS management web interface provides full administrative control over firewall configuration, security policy, VPN services, and device management. Per Palo Alto's own hardening guidance, the management interface should never be internet-facing; however, thousands of devices expose it publicly, making it a perennial high-value target for initial access.
Overview
CVE-2024-0012 is an authentication bypass vulnerability in the PAN-OS management web interface that allows an unauthenticated remote attacker to perform any administrative action — including deploying web shells, modifying security policy, creating accounts, and exfiltrating firewall credentials. It was disclosed as an actively exploited zero-day on November 18, 2024, with CISA adding it to the KEV catalog the same day.
The vulnerability was almost always exploited in combination with CVE-2024-9474 (a privilege escalation from nobody to root, also a zero-day), creating an unauthenticated root-level code execution chain. Palo Alto Networks Unit 42 named the campaign Operation Lunar Peek, documenting post-exploitation web shell deployment on compromised internet-exposed management interfaces. The ransomware flag indicates subsequent ransomware deployment in at least some cases.
Affected Versions
| PAN-OS Version | Vulnerable | Fixed |
|---|---|---|
| 10.2.x | < 10.2.12-h2 | 10.2.12-h2 |
| 11.0.x | < 11.0.6-h1 | 11.0.6-h1 |
| 11.1.x | < 11.1.5-h1 | 11.1.5-h1 |
| 11.2.x | < 11.2.4-h1 | 11.2.4-h1 |
| Cloud NGFW | Not affected | — |
| Prisma Access | Not affected | — |
PAN-OS 10.1.x and earlier are also affected; users should upgrade to a supported branch.
Technical Details
CWE-306 (Missing Authentication for Critical Function). The PAN-OS management web interface failed to enforce authentication for specific URI paths that invoke administrative functions. An attacker reachable to the management interface — regardless of credentials — can invoke these paths and execute arbitrary administrative operations as a superuser equivalent.
The two-CVE chain (Operation Lunar Peek):
- CVE-2024-0012 — authentication bypass gives the attacker access to management functions running under the
nobodyOS user. - CVE-2024-9474 (CWE-269, privilege escalation) — escalates from
nobodytorootvia improper privilege management in a separate PAN-OS component.
With root access, attackers deployed persistent web shells to the device filesystem, exfiltrated firewall configurations and credential stores, and pivoted to internal networks protected by the compromised firewalls.
Discovery
Discovered and reported to Palo Alto Networks prior to the November 18, 2024 advisory. Unit 42 threat intelligence subsequently documented active exploitation and on November 22 published the Operation Lunar Peek campaign analysis detailing post-exploitation tradecraft.
Exploitation Context
Active zero-day exploitation was confirmed before advisory publication. Palo Alto Networks estimated that fewer than 0.5% of PAN-OS devices globally had internet-exposed management interfaces — still thousands of devices. Exploitation targeted this exposed population with web shell deployment for persistent access, credential exfiltration, and network reconnaissance. Post-compromise ransomware deployment was observed in some cases. Shodan and internet scanning services confirmed wide geographic distribution of vulnerable exposed interfaces across North America, Europe, and Asia-Pacific.
Remediation
- Apply fixed PAN-OS versions: 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, or 11.2.4-h1 as appropriate.
- Immediately restrict management interface access to trusted internal IP addresses — the interface must never be internet-accessible.
- Conduct a compromise assessment: check for unexpected files in the management web root (web shells), unknown administrator accounts, modified cron jobs, and unusual outbound connections.
- Rotate all PAN-OS administrator credentials and API keys after patching.
- Review firewall configurations and API keys for any PAN-OS devices managed by the compromised firewall.
- Enable Threat Prevention signatures for CVE-2024-0012 and CVE-2024-9474 on any management traffic segments that cannot be immediately isolated.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2024-0012 |
| Vendor / Product | Palo Alto Networks — PAN-OS |
| NVD Published | 2024-11-18 |
| NVD Last Modified | 2025-11-04 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-306 find similar ↗ |
| CISA KEV Added | 2024-11-18 |
| CISA KEV Deadline | 2024-12-09 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2024-11-18 | CVE published as actively exploited zero-day; Palo Alto Networks releases advisory and patches; CISA adds to KEV |
| 2024-11-22 | Palo Alto Networks Unit 42 names campaign 'Operation Lunar Peek'; confirms web shell deployment on compromised devices |
| 2024-12-09 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Palo Alto Networks Security Advisory — CVE-2024-0012 | Vendor Advisory |
| NVD — CVE-2024-0012 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |