CVE-2024-0012 Overview
CVE-2024-0012 is an authentication bypass vulnerability in Palo Alto Networks PAN-OS software. An unauthenticated attacker with network access to the management web interface can gain PAN-OS administrator privileges. With those privileges, attackers can perform administrative actions, tamper with configuration, or chain to authenticated privilege escalation flaws such as CVE-2024-9474. The vulnerability affects PAN-OS 10.2, 11.0, 11.1, and 11.2. Cloud NGFW and Prisma Access are not impacted. CISA added CVE-2024-0012 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.
Critical Impact
Unauthenticated remote attackers can seize full administrator control of PAN-OS firewalls exposed through the management web interface and chain to CVE-2024-9474 for root-level command execution.
Affected Products
- Palo Alto Networks PAN-OS 10.2 (multiple maintenance and hotfix releases)
- Palo Alto Networks PAN-OS 11.0 and PAN-OS 11.1 (multiple maintenance and hotfix releases)
- Palo Alto Networks PAN-OS 11.2 (releases 11.2.0 through 11.2.4)
Discovery Timeline
- 2024-11-18 - CVE-2024-0012 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-0012
Vulnerability Analysis
CVE-2024-0012 is an authentication bypass classified under [CWE-306] Missing Authentication for Critical Function. The flaw resides in the PAN-OS management web interface and allows network-reachable attackers to bypass authentication checks entirely. Once bypassed, the attacker operates with the privileges of a PAN-OS administrator.
The vulnerability becomes especially dangerous when chained with CVE-2024-9474, an authenticated command injection flaw. Researchers at Watchtowr Labs and Palo Alto Networks Unit 42 documented active exploitation chains that combine both issues to achieve unauthenticated remote root command execution on affected appliances.
Root Cause
The management web interface fails to enforce authentication on a critical request path. Requests that should require valid administrator credentials are processed as if the user were authenticated, granting access to administrative functionality without verification.
Attack Vector
The attack vector is purely network-based and requires no privileges or user interaction. An attacker sends crafted HTTP requests to the PAN-OS management web interface. If the interface is reachable from the attacker's network position, the requests grant administrative session context. From there, attackers modify firewall configuration, exfiltrate secrets, create persistent accounts, or pivot to CVE-2024-9474 for OS-level command execution as root.
No verified public exploit code is included here. Refer to the Palo Alto Networks advisory for CVE-2024-0012 and the Unit 42 technical analysis for technical details on observed exploitation patterns.
Detection Methods for CVE-2024-0012
Indicators of Compromise
- Unexpected administrator accounts, API keys, or session tokens created on PAN-OS devices
- HTTP requests to management interface paths returning successful responses without preceding authentication events in logs
- Configuration changes, commits, or exports from unfamiliar source IP addresses
- Outbound connections from the firewall management plane to attacker-controlled infrastructure following CVE-2024-9474 chaining
Detection Strategies
- Inspect PAN-OS system and configuration logs for administrator actions that lack a corresponding successful authentication event
- Correlate web server access logs from the management interface against authentication audit logs to surface anomalous unauthenticated access
- Hunt for new or modified administrator accounts, scheduled jobs, and custom scripts on PAN-OS devices
- Apply CISA KEV-aligned monitoring given that CVE-2024-0012 is listed in the CISA Known Exploited Vulnerabilities Catalog
Monitoring Recommendations
- Restrict and log all source IPs that reach the management web interface, alerting on any non-allowlisted source
- Forward PAN-OS management plane logs to a centralized SIEM or data lake for long-term retention and correlation
- Continuously verify that the management interface is not exposed to the public internet through external attack surface scans
How to Mitigate CVE-2024-0012
Immediate Actions Required
- Upgrade PAN-OS to a fixed release listed in the Palo Alto Networks advisory for CVE-2024-0012
- Remove all internet exposure of the PAN-OS management web interface immediately
- Restrict management interface access to a small set of trusted internal IP addresses per Palo Alto Networks best practice deployment guidance
- Audit PAN-OS administrator accounts, API keys, and recent configuration changes for signs of tampering
Patch Information
Palo Alto Networks has released fixed versions across PAN-OS 10.2, 11.0, 11.1, and 11.2. Administrators should consult the vendor advisory at security.paloaltonetworks.com/CVE-2024-0012 for the specific fixed release that maps to their deployed train. Cloud NGFW and Prisma Access deployments are not affected and require no action.
Workarounds
- Limit management interface access to trusted internal IP addresses through a dedicated management network or jump host
- Block all inbound traffic to the management interface from untrusted zones at upstream firewalls
- Enforce out-of-band management access using VPN or zero-trust network access controls
- Disable the web management interface where command-line management is operationally sufficient
# Configuration example: restrict management interface access in PAN-OS
set deviceconfig system permitted-ip 10.0.0.0/24
set deviceconfig system permitted-ip 192.168.10.5/32
commit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
