PAN-OS XML API Privilege Escalation Vulnerability (CVE-2024-9471) Advisory

Key Information Vulnerability Description CVE Number: CVE-2024-9471 Vulnerability Type: Privilege Escalation (PE) Vulnerability in XML API Affected Product: PAN-OS Affected Versions: - PAN-OS 11.1 - PAN-OS 11.0 - PAN-OS 10.2 - PAN-OS 10.1 - PAN-OS 9.1 - PAN-OS 9.0 - Prisma Access Vulnerability Impact Severity: MEDIUM CVSSv4.0 Base Score: 5.1 Exploitation Status: Palo Alto Networks is not aware of any malicious exploitation of this issue. Resolution Fixed Versions: - PAN-OS 10.1.11 - PAN-OS 10.2.8 - PAN-OS 11.0.3 - All subsequent versions Workarounds and Mitigations Mitigations: - Follow best practices for administrative access in PAN-OS technical documentation: - Each XML API key should be associated with a specific user. XML API keys should not be shared between users. Acknowledgments Thanks: - Palo Alto Networks thanks the external researcher for discovering and reporting this issue. Timeline 2024-10-10: - Described the impact and noted that XML API keys should not be shared between users 2024-10-10: - Initial release Additional Information Product Status: - Affected: - Cloud NGFW - PAN-OS 11.1 - PAN-OS 11.0 - PAN-OS 10.2 - PAN-OS 10.1 - PAN-OS 9.1 - PAN-OS 9.0 - Prisma Access - Unaffected: - All other versions References: - PAN-217511 - PAN-152631 Additional Notes Disclaimer: - Copyright and Use Terms - Privacy Policy - Product Security Assurance and Vulnerability Disclosure Policy - Report a Vulnerability - Manage Subscription Copyright © 2024 Palo Alto Networks, Inc. All rights reserved.

Goal Reached Thanks to every supporter — we hit 100%!

PAN-OS XML API Privilege Escalation Vulnerability (CVE-2024-9471) Advisory