CVE-2024-9468 Overview
CVE-2024-9468 is a memory corruption vulnerability in Palo Alto Networks PAN-OS software. An unauthenticated remote attacker can send a crafted packet through the data plane to crash the firewall, producing a denial of service (DoS) condition. Repeated exploitation attempts force PAN-OS into maintenance mode, requiring manual intervention to restore normal operation. The flaw is tracked under [CWE-787] (Out-of-Bounds Write) and affects multiple PAN-OS 10.2 and 11.0 release trains. Palo Alto Networks published its advisory on October 9, 2024.
Critical Impact
An unauthenticated network attacker can disrupt firewall availability and drive PAN-OS into maintenance mode, breaking perimeter enforcement and inbound/outbound traffic policies for protected networks.
Affected Products
- Palo Alto Networks PAN-OS 10.2 (multiple maintenance releases including 10.2.4 through 10.2.10 and associated hotfixes)
- Palo Alto Networks PAN-OS 11.0 (including 11.0.4 and hotfixes h1, h2)
- PAN-OS firewall appliances exposing the data plane to untrusted networks
Discovery Timeline
- 2024-10-09 - CVE-2024-9468 published to the National Vulnerability Database
- 2024-10-09 - Palo Alto Networks publishes the CVE-2024-9468 advisory
- 2025-12-01 - Last updated in NVD database
Technical Details for CVE-2024-9468
Vulnerability Analysis
The vulnerability resides in the PAN-OS data plane, which handles packet processing for transit traffic on Palo Alto Networks firewalls. A malformed or crafted packet triggers memory corruption in the data plane process, causing it to crash. Because the data plane is responsible for inspection and forwarding, a crash interrupts traffic flow through the device.
The condition does not require authentication, valid session state, or user interaction. The attacker only needs network reachability to a data plane interface accepting the affected packet type. Repeated exploitation transitions PAN-OS into maintenance mode, a recovery state that disables normal forwarding and requires administrator action to exit.
The issue is classified as [CWE-787] Out-of-Bounds Write, indicating that input parsing writes outside the bounds of an allocated buffer. While the CVSS impact metrics describe only availability impact, out-of-bounds writes can in some cases be leveraged for more severe outcomes; Palo Alto Networks has scoped this issue to denial of service.
Root Cause
The root cause is improper bounds checking during parsing of attacker-controlled fields in a network packet processed by the data plane. The flawed parser writes beyond the intended buffer, corrupting adjacent memory and inducing a process crash. See the vendor advisory for affected component details.
Attack Vector
The attack vector is network-based. An attacker sends a single crafted packet to any interface where the affected data plane code path is reachable. No credentials, prior compromise, or social engineering are needed. Sustained packet delivery keeps the firewall in maintenance mode, denying availability of perimeter security controls.
// No public proof-of-concept code is available for CVE-2024-9468.
// Refer to the Palo Alto Networks advisory for technical context:
// https://security.paloaltonetworks.com/CVE-2024-9468
Detection Methods for CVE-2024-9468
Indicators of Compromise
- Unexpected PAN-OS data plane process restarts or core dumps recorded in system logs
- Firewall transitioning to maintenance mode without administrator-initiated change
- Loss of traffic forwarding correlated with inbound traffic from a small number of external sources
- System log entries indicating data plane crash recovery shortly after receiving traffic on a public interface
Detection Strategies
- Monitor PAN-OS system logs for dataplane restart events, panics, or maintenance mode transitions
- Alert on SNMP traps and syslog messages tied to firewall health degradation or HA failover events
- Correlate firewall outages with packet captures or NetFlow data showing anomalous inbound traffic patterns immediately preceding the crash
Monitoring Recommendations
- Forward PAN-OS system and configuration logs to a centralized SIEM or data lake for retention and correlation
- Track firewall availability metrics (HA state, session count, throughput) and alert on sudden drops
- Review external attack surface for exposed management or data plane interfaces and validate that only required services are reachable
How to Mitigate CVE-2024-9468
Immediate Actions Required
- Identify all PAN-OS devices running affected 10.2 and 11.0 versions using the inventory in the Palo Alto Networks advisory
- Upgrade to a fixed PAN-OS release as listed in the vendor advisory
- Restrict exposure of firewall interfaces to untrusted networks where business requirements allow
- Configure HA pairs so that a single data plane crash does not eliminate perimeter enforcement
Patch Information
Palo Alto Networks has released fixed PAN-OS versions addressing CVE-2024-9468. Administrators should consult the official advisory for the precise minimum fixed release for each affected train (10.2 and 11.0) and apply the appropriate upgrade path. Cloud-delivered Prisma Access tenants are updated by the vendor.
Workarounds
- Apply threat prevention and zone protection policies that limit exposure of vulnerable data plane code paths where feasible
- Place affected firewalls behind upstream filtering that drops unexpected or malformed traffic
- Ensure high-availability configurations and out-of-band management access are operational to recover devices that enter maintenance mode
# Verify installed PAN-OS version against the vendor advisory
show system info | match sw-version
# Confirm high-availability state before scheduling upgrade
show high-availability state
# Review recent dataplane crash or maintenance mode events
show system logs direction equal backward | match -i "dataplane|maintenance"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
