CVE-2024-9474

HIGH KEV RANSOMWARE NUCLEI

PAN-OS >=10.1.0 <10.1.14 - Authenticated Privilege Escalation to Root via Management Interface

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-9474 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 18, 2024, with confirmed use in ransomware campaigns. EIP tracks 10 public exploits from researchers including Chocapikk, k4nfr3, TalatumLabs, including a Metasploit module exploits/linux/http/panos_management_unauth_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Go-based exploit targets CVE-2024-9474 in Palo Alto PAN-OS, leveraging an authentication bypass and command injection via a PHP endpoint to achieve remote code execution (RCE). It supports both single-target and batch scanning modes.

Description

A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

Exploits (10)

nomisec WORKING POC 47 stars
by Chocapikk · remote
https://github.com/Chocapikk/CVE-2024-9474

This Go-based exploit targets CVE-2024-9474 in Palo Alto PAN-OS, leveraging an authentication bypass and command injection via a PHP endpoint to achieve remote code execution (RCE). It supports both single-target and batch scanning modes.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Palo Alto PAN-OS
No auth needed
Prerequisites: Network access to the target · PHP endpoint exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 9 stars
by k4nfr3 · remote
https://github.com/k4nfr3/CVE-2024-9474

This PoC exploits CVE-2024-9474 in PAN-OS by leveraging command injection via the 'user' field in a POST request to create a remote session, then retrieves the command output via a crafted PHP file. The exploit is limited to 19-character commands due to field constraints.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PAN-OS (Palo Alto Networks)
No auth needed
Prerequisites: Network access to the target PAN-OS device · SSL VPN interface exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 8 stars
by TalatumLabs · pythonremote
https://github.com/TalatumLabs/CVE-2024-0012_CVE-2024-9474_PoC

This repository contains a functional exploit for CVE-2024-0012 (authentication bypass) and CVE-2024-9474 (command execution and privilege escalation) in Palo Alto PAN-OS. The exploit automates the process of bypassing authentication, uploading a reverse shell payload in chunks, and executing it on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Palo Alto PAN-OS
No auth needed
Prerequisites: Target URL · Listener IP · Listener Port
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC 4 stars
by dcollaoa · pythonremote
https://github.com/dcollaoa/cve-2024-0012-gui-poc

This repository contains a functional GUI-based exploit for CVE-2024-0012 and CVE-2024-9474, targeting Palo Alto PAN-OS. The exploit chains an authentication bypass with a command injection vulnerability to achieve remote code execution (RCE) via crafted session creation and file write operations.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Palo Alto PAN-OS
No auth needed
Prerequisites: Network access to the target PAN-OS management interface · Python environment with PyQt5 and requests libraries
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC 3 stars
by Regent8SH · pythonremote
https://github.com/Regent8SH/PanOsExploitMultitool

This repository contains a functional exploit tool for CVE-2024-9474, targeting PAN-OS devices. It includes capabilities for credential dumping, command execution, and reverse shell establishment via command injection and authentication bypass.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PAN-OS
No auth needed
Prerequisites: Network access to the target PAN-OS device · Target device must be vulnerable to CVE-2024-9474
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 2 stars
by coskper-papa · remote
https://github.com/coskper-papa/PAN-OS_CVE-2024-9474

This PoC exploits CVE-2024-9474 in PAN-OS by injecting a command into the 'user' parameter to create a PHP file containing command output, then retrieving it via unauthenticated access. It demonstrates remote code execution (RCE) by writing the result of 'id' to a web-accessible file.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PAN-OS (specific version not specified in PoC)
No auth needed
Prerequisites: Network access to the target PAN-OS device · PHP session handling enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by aratane · remote
https://github.com/aratane/CVE-2024-9474

This repository contains a Go-based Proof of Concept (PoC) exploit for CVE-2024-9474, targeting Palo Alto PAN-OS. It includes both scanning and interactive exploitation modes, allowing for authentication bypass and arbitrary command execution on vulnerable systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Palo Alto PAN-OS
No auth needed
Prerequisites: Go 1.18 or later · List of target URLs or a single target URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by Gr-1m · poc
https://github.com/Gr-1m/cve-2024-0012-poc

This repository contains a functional exploit for CVE-2024-0012, an authentication bypass vulnerability in Palo Alto Networks PAN-OS. The PoC leverages command injection via a crafted session creation request to achieve remote code execution (RCE) by writing a PHP file to the web root.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Palo Alto Networks PAN-OS
No auth needed
Prerequisites: Network access to the target PAN-OS management interface
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by deathvu · remote
https://github.com/deathvu/CVE-2024-9474

This repository contains a Python-based exploit for CVE-2024-9474, targeting Palo Alto PAN-OS. The exploit includes both a scanner mode to detect vulnerable instances and an interactive shell mode to execute commands on the target system via an authentication bypass vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Palo Alto PAN-OS
No auth needed
Prerequisites: Python 3 · Network access to the target · Target running vulnerable PAN-OS version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by watchTowr, sfewer-r7 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/panos_management_unauth_rce.rb

This Metasploit module exploits an authentication bypass (CVE-2024-0012) and command injection (CVE-2024-9474) in Palo Alto Networks PAN-OS management interface to achieve unauthenticated remote code execution as root. It writes payloads in chunks to bypass command length limitations and executes them via shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Palo Alto Networks PAN-OS (versions 11.2 up to 11.2.4-h1, 11.1 up to 11.1.5-h1, 11.0 up to 11.0.6-h1, 10.2 up to 10.2.12-h2)
No auth needed
Prerequisites: Network access to the PAN-OS management interface (port 443/HTTPS)
devstral-2 · analyzed Apr 23, 2026 Full analysis →

Nuclei Templates (1)

PAN-OS Management Web Interface - Command Injection
HIGHVERIFIEDby watchTowr,iamnoooob,rootxharsh,pdresearch
Shodan: cpe:"cpe:2.3:o:paloaltonetworks:pan-os" || http.favicon.hash:"-631559155"
FOFA: icon_hash="-631559155"

References (5)

Core 5

Scores

CVSS v3 7.2
EPSS 0.9421
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2024-11-18
VulnCheck KEV 2024-11-18
InTheWild.io 2024-11-18
ENISA EUVD EUVD-2024-50354
Ransomware Use Confirmed
CWE
CWE-78
Status published
Products (6)
paloaltonetworks/pan-os 10.1.14 (3 CPE variants)
paloaltonetworks/pan-os 10.2.12 (2 CPE variants)
paloaltonetworks/pan-os 11.0.6
paloaltonetworks/pan-os 11.1.5
paloaltonetworks/pan-os 11.2.4
paloaltonetworks/pan-os 10.1.0 - 10.1.14
Published Nov 18, 2024
KEV Added Nov 18, 2024
Tracked Since Feb 18, 2026