Security Bulletin logo with a close up of a wolf in the background.
Security Bulletin logo with a close up of a wolf in the background.
Back to blog

Critical Unauthenticated Remote Command Execution Vulnerability in Palo Alto Networks Firewalls Actively Exploited

On November 14, 2024, Palo Alto Networks (PAN) revealed that a critical unauthenticated remote command execution vulnerability is being actively exploited against internet-exposed firewall management interfaces.
Security Bulletin logo with a close up of a wolf in the background.
6 min read

Update (11/18/2024): A follow-up bulletin has been published with new updates. Please refer to our updated bulletin for the most current information.

On November 14, 2024, Palo Alto Networks (PAN) revealed that a critical unauthenticated remote command execution vulnerability is being actively exploited against internet-exposed firewall management interfaces. According to their security advisory, Prisma Access and Cloud NGFW are not impacted by this issue. A CVE has not yet been assigned to the vulnerability. 

No official patch is currently available. To mitigate the risk, PAN strongly advises customers to secure their management interfaces by restricting access to trusted internal IP addresses and ensuring they are not exposed to the internet. Limiting access to specific IPs significantly reduces the risk of exploitation. In these cases, the vulnerability is reclassified as high severity (CVSS 7.5), as a threat actor would need prior privileged access to the permitted IPs. 

Threat actors are likely to quickly develop proof-of-concept exploits and target this vulnerability due to the significant access they could gain by compromising a publicly exposed firewall, especially given the lack of an available patch. PAN products have historically been attractive targets, with one notable instance earlier this year where threat actors targeted the GlobalProtect feature of PAN-OS. 

Recommendation

Secure Management Interface

Arctic Wolf strongly advises customers to secure their management interfaces by restricting access to trusted internal IP addresses and blocking access from the internet. 

To assist with this, customers can identify publicly exposed assets (tagged with PAN-SA-2024-0015) and take appropriate action if any are found. This can be done by navigating to https://support.paloaltonetworks.com and following the path: Products → Assets → All Assets → Remediation Required. 

References 

Stay up to date with the latest security incidents and trends from Arctic Wolf Labs. 

Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report

Popular Topics
View all posts
Share this post:

What to read next

Back to Blog
Arctic Wolf Blog Featured Image
5 min read

CVE-2025-54948 & CVE-2025-54987: Trend Micro Releases Mitigation Tool for Actively Exploited Apex One Vulnerabilities

August 6, 2025

View Post
Arctic Wolf Blog Featured Image
4 min read

Arctic Wolf Observes July 2025 Uptick in Akira Ransomware Activity Targeting SonicWall SSL VPN

August 1, 2025

View Post
Arctic Wolf Blog Featured Image
4 min read

Critical Authentication Bypass Vulnerability in Mitel MiVoice MX-ONE

July 24, 2025

View Post
Arctic Wolf Blog Featured Image
11 min read

CVE-2025-53770: Widespread Exploitation of ToolShell RCE Vulnerability Observed in Microsoft SharePoint On-Premises

July 21, 2025

View Post