What is PAN-OS?
PAN-OS is the operating system powering Palo Alto Networks next-generation firewalls and Panorama management appliances. Its web-based management interface is used by administrators to configure security policy, view traffic logs, and manage the device. When the management interface is exposed to untrusted networks, vulnerabilities in it represent direct attacks against the network's primary security control. PAN-OS firewalls are deployed by enterprises, government agencies, and critical infrastructure operators — compromising a PAN-OS device gives an attacker privileged access to the network's traffic inspection and policy enforcement plane.
Overview
CVE-2024-9474 is an OS command injection vulnerability in the PAN-OS web management interface that allows an authenticated administrator to execute arbitrary OS commands as root on the underlying system. On its own, it requires prior admin access — but it is the critical second stage of the "Operation Lunar Peek" exploit chain: CVE-2024-0012 (an authentication bypass) provides unauthenticated access to the admin interface, and CVE-2024-9474 then escalates from admin to root OS command execution. Together, the chain produces unauthenticated root-level remote code execution on any internet-facing PAN-OS management interface. Palo Alto Networks and CISA added both CVEs to their respective publications on November 18, 2024, reflecting active exploitation of the combined chain.
Affected Versions
| PAN-OS Version | Vulnerable | Fixed |
|---|---|---|
| PAN-OS 10.2 | < 10.2.12-h2 | 10.2.12-h2 |
| PAN-OS 11.0 | < 11.0.6-h1 | 11.0.6-h1 |
| PAN-OS 11.1 | < 11.1.5-h1 | 11.1.5-h1 |
| PAN-OS 11.2 | < 11.2.4-h1 | 11.2.4-h1 |
Cloud NGFW and Prisma Access are not affected.
Technical Details
CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The PAN-OS web management interface contains a PHP component that passes admin-supplied input to a shell command without adequate sanitization. When chained with CVE-2024-0012 (authentication bypass that grants unauthenticated access to the admin interface), the combined exploit chain proceeds:
- CVE-2024-0012 — An unauthenticated request to the management interface impersonates a privileged user, bypassing authentication entirely and gaining admin-level access.
- CVE-2024-9474 — The admin-level session injects OS commands into a PHP-executed shell command, elevating from admin-panel access to root-level OS command execution on the underlying PAN-OS Linux system.
Root OS access on a firewall enables: disabling security policies, exfiltrating firewall configuration (including VPN credentials and keys), installing persistent backdoors, and using the firewall as a pivot point into the protected network. Palo Alto Networks confirmed webshell installation and interactive backdoors were observed on compromised firewalls during Operation Lunar Peek.
Discovery
Attributed to Operation Lunar Peek, a campaign discovered by Palo Alto Networks Unit 42 and Volexity. Palo Alto published simultaneous threat intelligence alongside the patches, detailing observed post-exploitation activity including webshell installation.
Exploitation Context
Operation Lunar Peek targeted PAN-OS management interfaces exposed to the internet — a configuration explicitly warned against by Palo Alto Networks. The threat actor installed webshells for persistent access, enumerated internal network resources, and attempted lateral movement. Palo Alto Networks estimated approximately 2,000 firewalls were compromised globally. Subsequent ransomware deployments through compromised firewalls were confirmed. This chain is among the most severe PAN-OS vulnerabilities to date given the critical role firewalls play in network security architecture.
Remediation
- Apply the PAN-OS patch for your version: 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, or 11.2.4-h1. Both CVE-2024-0012 and CVE-2024-9474 are fixed by the same patch versions.
- Immediately restrict management interface access to only trusted internal IP addresses — this is the most critical compensating control. The management interface must never be internet-accessible.
- If the management interface was internet-accessible before patching, treat the device as potentially compromised: check for webshells, review configuration for unauthorized changes (new admin accounts, modified NAT/routing rules, disabled security policies), and inspect outbound connections for C2 beaconing.
- Rotate all credentials stored in the firewall configuration: VPN pre-shared keys, RADIUS secrets, LDAP bind passwords, and API keys.
- See also CVE-2024-0012 for the authentication bypass that makes this vulnerability exploitable without credentials.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2024-9474 |
| Vendor / Product | Palo Alto Networks — PAN-OS |
| NVD Published | 2024-11-18 |
| NVD Last Modified | 2025-11-04 |
| CVSS 3.1 Score | 7.2 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-78 find similar ↗ |
| CISA KEV Added | 2024-11-18 |
| CISA KEV Deadline | 2024-12-09 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2024-11-18 | Palo Alto Networks releases patches for both CVE-2024-0012 and CVE-2024-9474; CISA adds both to KEV on the same day — confirming active exploitation as a chained pair |
| 2024-12-09 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Palo Alto Networks Security Advisory — CVE-2024-9474 | Vendor Advisory |
| NVD — CVE-2024-9474 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |