Published: April 16, 2024


A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.


A threat actor could exploit these vulnerabilities to take control of firewalls running PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1, which are configured with GlobalProtect gateway or GlobalProtect portal (or both) and have device telemetry enabled. You can verify whether you have a GlobalProtect gateway or GlobalProtect portal configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals) and verify whether you have device telemetry enabled by checking your firewall web interface (Device > Setup > Telemetry).

This issue does not affect cloud firewalls (Cloud NGFW), Panorama appliances, or Prisma Access.

Applicable Versions

Affected VersionsNot Affected Versions
PAN-OS 11.1 < 11.1.2-h3>= 11.1.2-h3
PAN-OS 11.0 < 11.0.4-h1>= 11.0.4-h1
PAN-OS 10.2 < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1>= 10.2.7-h8, >= 10.2.8-h3, >= 10.2.9-h1

Mitigations and Workarounds

Customers with a Threat Prevention subscription can block attacks for this vulnerability using Threat ID 95187 (available in Applications and Threats content version 8833-8682 and later).

A workaround is to temporarily disable device telemetry until the device is upgraded to a fixed PAN-OS version.

Best Practices

Upgrade the product to stable and secure version. Run vulnerability scans regularly to identify the vulnerabilities.

Netsurion Detection and Response

Netsurion researchers are continuously monitoring the exploits of this vulnerability. Netsurion’s vulnerability management system is working with the vendors to update the vulnerability scanners to detect for customers who have subscribed to Netsurion Vulnerability Management.