CVE-2017-15944

CRITICAL KEV NUCLEI

Palo Alto Network PAN-OS - Remote Code Execution

Title source: nuclei
STIX 2.1

Exploitation Summary

CVE-2017-15944 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 18, 2022. EIP tracks 8 public exploits from researchers including Metasploit, Philip Pettersson, surajraghuvanshi, including a Metasploit module exploits/linux/http/panos_readsessionvars. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a chain of vulnerabilities in Palo Alto Networks PAN-OS, including authentication bypass, XML injection, and cron job manipulation, to achieve root code execution. It stages a reverse TLS callback to deliver the payload, with execution triggered by a cron job running every 15 minutes.

Description

Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface.

Exploits (8)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremoteunix
https://www.exploit-db.com/exploits/44597

This Metasploit module exploits a chain of vulnerabilities in Palo Alto Networks PAN-OS, including authentication bypass, XML injection, and cron job manipulation, to achieve root code execution. It stages a reverse TLS callback to deliver the payload, with execution triggered by a cron job running every 15 minutes.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Palo Alto Networks PAN-OS (versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6)
No auth needed
Prerequisites: Network access to the target device · SSL/TLS connectivity to port 443
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Philip Pettersson · textremotehardware
https://www.exploit-db.com/exploits/43342

This is a detailed writeup describing three separate bugs in Palo Alto Networks firewalls that can be chained to achieve unauthenticated remote root code execution. The bugs include an authentication bypass, arbitrary directory creation, and a command injection in a cron script.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Palo Alto Networks PAN-OS 6.1.18 and earlier, PAN-OS 7.0.18 and earlier, PAN-OS 7.1.13 and earlier, PAN-OS 8.0.5 and earlier
No auth needed
Prerequisites: Access to the web management interface of the Palo Alto Networks firewall
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 6 stars
by surajraghuvanshi · remote
https://github.com/surajraghuvanshi/PaloAltoRceDetectionAndExploit

This repository contains a detection script and an exploit for CVE-2017-15944, a remote code execution vulnerability in Palo Alto Networks PAN-OS. The exploit leverages a command injection flaw in the `cms_changeDeviceContext.esp` endpoint to create a session and verify vulnerability via a debug console.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Palo Alto Networks PAN-OS
No auth needed
Prerequisites: Network access to the target device · Target device running vulnerable PAN-OS version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 1 stars
by xxnbyy · remote
https://github.com/xxnbyy/CVE-2017-15944-POC

This PoC checks for CVE-2017-15944, a remote code execution vulnerability in Palo Alto Networks firewalls. It attempts to exploit a session manipulation flaw to verify if the target is vulnerable by checking for a debug console response.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Palo Alto Networks firewalls (PAN-OS)
No auth needed
Prerequisites: Network access to the target firewall
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by P4x1s · poc
https://github.com/P4x1s/PaloAlto_EXP

This repository contains a README file describing CVE-2017-15944, a vulnerability affecting Palo Alto PAN-OS versions up to 6.1.18, 7.0.18, 7.1.14, and 8.0.5. No exploit code or technical details are provided.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Palo Alto PAN-OS <= 6.1.18, <= 7.0.18, <= 7.1.14, <= 8.0.5
No auth needed
Prerequisites: knowledge of CVE-2017-15944
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by yukar1z0e · remote
https://github.com/yukar1z0e/CVE-2017-15944

This repository contains a working exploit for CVE-2017-15944, targeting a vulnerability in Palo Alto Networks PAN-OS. The exploit leverages a command injection flaw to achieve remote code execution (RCE) via a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Palo Alto Networks PAN-OS
No auth needed
Prerequisites: Network access to the target device · Debug console accessible on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/AiK1d/PaloAlto_EXP

This repository contains a functional exploit for CVE-2017-15944, targeting Palo Alto Networks PAN-OS. The exploit leverages a command injection vulnerability to achieve remote code execution (RCE) via a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Palo Alto Networks PAN-OS (versions <=6.1.18, <=7.0.18, <=7.1.14, <=8.0.5)
No auth needed
Prerequisites: Network access to the target device · Python environment with 'requests' library
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/panos_readsessionvars.rb

This Metasploit module exploits a chain of vulnerabilities in Palo Alto Networks PAN-OS, including authentication bypass, XML injection, and cron job manipulation, to achieve root code execution. It stages a reverse TLS callback to deliver the payload, with execution triggered by a cron job running every 15 minutes.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Palo Alto Networks PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6
No auth needed
Prerequisites: Network access to the target on port 443 · Target running vulnerable PAN-OS version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Palo Alto Network PAN-OS - Remote Code Execution
CRITICALby emadshanab,milo2012
Shodan: http.favicon.hash:"-631559155" || cpe:"cpe:2.3:o:paloaltonetworks:pan-os"
FOFA: icon_hash="-631559155"

References (6)

Core 6
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44597/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040007
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/102079
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43342/
Vendor Advisory x_refsource_confirm
https://security.paloaltonetworks.com/CVE-2017-15944

Scores

CVSS v3 9.8
EPSS 0.9402
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-08-18
VulnCheck KEV 2022-08-18
InTheWild.io 2022-08-18
ENISA EUVD EUVD-2017-7360
CWE
CWE-119 CWE-20
Status published
Products (1)
paloaltonetworks/pan-os < 6.1.19
Published Dec 11, 2017
KEV Added Aug 18, 2022
Tracked Since Feb 18, 2026