Skip to main content
CVE Vulnerability Database

CVE-2024-9472: Palo Alto PAN-OS DoS Vulnerability

CVE-2024-9472 is a null pointer dereference DoS flaw in Palo Alto PAN-OS affecting PA-800, PA-3200, PA-5200, and PA-7000 Series. Attackers can crash systems when Decryption policy is enabled. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2024-9472 Overview

CVE-2024-9472 is a null pointer dereference vulnerability [CWE-476] in Palo Alto Networks PAN-OS software. The flaw affects PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series hardware firewalls when Decryption policy is enabled. An unauthenticated remote attacker can crash PAN-OS by sending specific traffic through the data plane, producing a denial of service condition. Repeated exploitation attempts force PAN-OS into maintenance mode, requiring manual intervention to restore service. Palo Alto Networks VM-Series, Cloud NGFW, and Prisma Access deployments are not affected.

Critical Impact

Unauthenticated attackers can remotely crash perimeter firewalls and force them into maintenance mode, eliminating network protection and connectivity at the edge.

Affected Products

  • Palo Alto Networks PAN-OS on PA-800 Series hardware
  • Palo Alto Networks PAN-OS on PA-3200 Series and PA-5200 Series hardware
  • Palo Alto Networks PAN-OS on PA-7000 Series hardware (specific 10.2.x, 11.1.x, and 11.2.x builds)

Discovery Timeline

  • 2024-11-14 - CVE-2024-9472 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-9472

Vulnerability Analysis

The vulnerability resides in the PAN-OS data plane code path that handles decryption when a Decryption policy is enabled. When the device processes specific traffic patterns, the code dereferences a pointer that has not been validated as non-null. This dereference triggers a fatal fault in the dataplane process, crashing PAN-OS. Because the trigger lives in the data plane, no authentication, user interaction, or pre-existing session is required. The attacker only needs to send crafted traffic that traverses or terminates on the affected firewall.

Root Cause

The root cause is missing null-pointer validation [CWE-476] before a pointer access in a decryption-related processing routine. Under specific traffic conditions, the referenced structure is not initialized or returns null, and the subsequent dereference produces an invalid memory access. Repeated faults exhaust the dataplane recovery threshold and transition PAN-OS into maintenance mode, which halts traffic forwarding.

Attack Vector

Attackers exploit the flaw remotely over the network by sending specific traffic through the data plane of a firewall with Decryption policy enabled. Exploitation requires no credentials and no user interaction. A single successful trigger produces a process crash, while repeated triggers escalate the impact by forcing the appliance into maintenance mode. No public proof-of-concept code or exploitation in the wild has been reported, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

No verified public exploit code is available for this vulnerability. Refer to the Palo Alto Networks Advisory for vendor technical details.

Detection Methods for CVE-2024-9472

Indicators of Compromise

  • Unexpected dataplane process crashes or restarts on PA-800, PA-3200, PA-5200, or PA-7000 Series firewalls
  • PAN-OS transitioning into maintenance mode without a scheduled administrative action
  • Loss of traffic forwarding on the affected firewall while the management plane remains reachable

Detection Strategies

  • Monitor PAN-OS system logs for dataplane fault events, core dump generation, and maint-mode transitions
  • Correlate firewall crash events with inbound traffic patterns matching decryption-eligible flows (TLS/SSL traffic subject to Decryption policy)
  • Track SNMP and high-availability failover events that indicate repeated dataplane resets on affected hardware models

Monitoring Recommendations

  • Forward PAN-OS system and configuration logs to a centralized SIEM and alert on critical severity dataplane messages
  • Baseline normal reboot and HA failover frequency, then alert on deviations on hardware models listed in the advisory
  • Validate that PAN-OS version reporting in inventory tools matches the vulnerable builds enumerated in the Palo Alto Networks advisory

How to Mitigate CVE-2024-9472

Immediate Actions Required

  • Identify all PA-800, PA-3200, PA-5200, and PA-7000 Series firewalls running the vulnerable PAN-OS builds listed in the advisory, including 10.2.7-h12, 10.2.8-h10, 10.2.9-h9, 10.2.9-h11, 10.2.10-h2, 10.2.10-h3, 10.2.11, 10.2.11-h1, 10.2.11-h2, 10.2.11-h3, 11.1.2-h9, 11.1.2-h12, 11.1.3-h2, 11.1.3-h4, 11.1.3-h6, 11.2.2, and 11.2.2-h1
  • Apply the fixed PAN-OS maintenance releases referenced in the vendor advisory as soon as a change window allows
  • Confirm high-availability pairs are both upgraded to prevent failover into a vulnerable peer

Patch Information

Palo Alto Networks has published fixed PAN-OS versions for the affected 10.2.x, 11.1.x, and 11.2.x trains. Consult the Palo Alto Networks Advisory for the exact fixed builds matching each deployed version and apply them on the affected hardware platforms.

Workarounds

  • If immediate patching is not possible, evaluate temporarily disabling Decryption policy on affected hardware, since the vulnerability only triggers when Decryption is enabled
  • Restrict exposure of firewall data plane interfaces to untrusted networks where feasible and apply zone protection profiles to filter anomalous traffic
  • Migrate critical workloads to unaffected platforms such as VM-Series, Cloud NGFW, or Prisma Access until patching is complete
bash
# Verify the currently running PAN-OS version against the vulnerable list
show system info | match sw-version

# Review whether any Decryption policy rules are enabled
show running decryption-policy

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.