PAN-OS: Authenticated Admin Command Injection Vulnerability in PAN-OS VM-Series
A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. This issue is only applicable to PAN-OS VM-Series. This issue does not affect firewalls that are already deployed.
Cloud NGFW and Prisma® Access are not affected by this vulnerability.
VersionMinor VersionSuggested SolutionPAN-OS 11.2 on VM-Series
No action needed
PAN-OS 11.1 on VM-Series
No action needed
PAN-OS 11.0 on VM-Series
11.0.0 through 11.0.3
Upgrade to 11.0.4 or later
PAN-OS 10.2 on VM-Series
10.2.0 through 10.2.8
Upgrade to 10.2.9 or later
PAN-OS 10.1 on VM-Series
10.1.0 through 10.1.14
Upgrade to 10.1.14-h13 or later
PAN-OS on non VM-Series platforms
No action neededAll other older unsupported PAN-OS versions
Upgrade to a supported fixed version
PAN-OS 11.0 is EoL. We listed it in this section for completeness because we added a patch for PAN-OS 11.0 before it reached EoL. If you are running PAN-OS 11.0 in any of your firewalls, we strongly recommend that you upgrade from this EoL vulnerable version to a fixed version.
Configurations
No special configuration is required to be affected by this issue.
Workarounds
No workaround or mitigation is available.
Exploits
Palo Alto Networks is not aware of any malicious exploitation of this issue.