Skip to main content
CVE Vulnerability Database

CVE-2024-0008: PAN-OS Auth Bypass Vulnerability

CVE-2024-0008 is an authentication bypass flaw in Palo Alto Networks PAN-OS where web sessions fail to expire properly, enabling unauthorized access to the management interface. This article covers technical details, impact, and fixes.

Published:

CVE-2024-0008 Overview

CVE-2024-0008 affects the web-based management interface of Palo Alto Networks PAN-OS software. Web sessions in the management interface do not expire under certain conditions, leaving authenticated sessions active beyond their intended lifetime. An attacker who obtains access to a previously authenticated session can reuse it to access the firewall management plane without re-authenticating.

The weakness is classified under [CWE-613] Insufficient Session Expiration. Palo Alto Networks published the advisory on February 14, 2024, and tracks the issue in multiple PAN-OS branches including 9.0, 10.0, and 10.1.

Critical Impact

Persistent web sessions in PAN-OS allow unauthorized access to the firewall management interface, exposing security policy, configuration, and traffic inspection controls to compromise.

Affected Products

  • Palo Alto Networks PAN-OS 9.0 (including 9.0.17 and 9.0.17-h1)
  • Palo Alto Networks PAN-OS 10.0 (including 10.0.12)
  • Palo Alto Networks PAN-OS 10.1 (including 10.1.10)

Discovery Timeline

  • 2024-02-14 - CVE-2024-0008 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-0008

Vulnerability Analysis

The flaw resides in how the PAN-OS web management interface handles session lifecycle events. Under specific conditions, the session token issued to an administrator remains valid even after the expected expiration boundary. The management interface does not enforce server-side invalidation, which means a captured session identifier can continue to authenticate requests.

An attacker who obtains a session token through theft, browser artifacts, shared workstation reuse, or proxy interception can submit authenticated API and UI requests. Because the management plane controls firewall policy, NAT rules, decryption, and logging, session reuse maps directly to administrative compromise. User interaction is required for exploitation, which aligns with scenarios where an administrator authenticates and the session persists on a reachable system.

Root Cause

The root cause is improper session lifetime enforcement in the management web application. PAN-OS fails to consistently invalidate session state on the server side when expiration conditions are reached, leaving the session usable from any client presenting the token.

Attack Vector

Exploitation occurs over the network against the PAN-OS management interface. The attacker does not need valid credentials but does need access to a session artifact established by a legitimate administrator. Organizations exposing the management interface to broad networks increase the practical attack surface for session capture and reuse.

No verified public proof-of-concept code is associated with this CVE. The vulnerability is described in prose by the vendor advisory rather than through a published exploit.

Detection Methods for CVE-2024-0008

Indicators of Compromise

  • Administrative actions in PAN-OS audit logs that occur outside normal change windows or from unexpected source addresses.
  • Re-use of the same session identifier from multiple distinct client IP addresses or user-agent strings.
  • Configuration commits, policy edits, or user additions performed without a corresponding fresh login event in authentication logs.

Detection Strategies

  • Correlate PAN-OS management plane authentication events with subsequent administrative actions to identify session activity without a recent login.
  • Alert on management interface access from IP ranges that have not historically administered the firewall.
  • Review session duration metrics and flag sessions exceeding the configured idle or absolute timeout.

Monitoring Recommendations

  • Forward PAN-OS system, configuration, and authentication logs to a centralized logging platform for retention and correlation.
  • Monitor for changes to administrator accounts, API keys, and management profiles that may indicate post-session-hijack persistence.
  • Track administrative API calls per session token to identify abnormal reuse patterns.

How to Mitigate CVE-2024-0008

Immediate Actions Required

  • Upgrade PAN-OS to a fixed version as listed in the Palo Alto Networks CVE-2024-0008 Advisory.
  • Restrict access to the PAN-OS management interface to dedicated administrative networks or jump hosts.
  • Force logout of all active administrator sessions and rotate API keys after applying the patch.

Patch Information

Palo Alto Networks has released fixed builds across the affected branches. Refer to the Palo Alto Networks CVE-2024-0008 Advisory for the specific minimum fixed versions for PAN-OS 9.0, 10.0, and 10.1, and plan upgrades accordingly.

Workarounds

  • Limit management interface exposure using permitted IP address lists and out-of-band management networks.
  • Enforce shorter idle and absolute session timeouts in administrator authentication profiles.
  • Require multi-factor authentication for all administrative accounts to reduce the value of a hijacked session.
  • Use individual administrator accounts and avoid shared browsers or workstations for PAN-OS management.
bash
# Example PAN-OS CLI: restrict management interface and tighten session timeouts
set deviceconfig system permitted-ip 10.10.0.0/24
set mgt-config users admin authentication-profile mfa-profile
set deviceconfig setting management idle-timeout 10
commit

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.