KEVIntel
Back to KEVs
9.3
CVSS
Critical

CVE-2024-0012

PUBLISHED

PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)

Exploited in the wild Used in malware PoC available Remote Low complexity No user interaction
Vendor
Palo Alto Networks
Product
Cloud NGFW, PAN-OS, Prisma Access
Published
Nov 18, 2024
EPSS
94.3% · 100% pctl

Description

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 . The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended  best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

cisa malware nuclei_scanner edge metasploit nessus_scanner

CVSS scores

CVSS v4.0 9.3 Critical

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/AU:N/R:U/V:C/RE:H/U:Red

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2024-11-18 00:00:00 UTC · Source

Used in malware

Recorded 2026-06-02 14:08:22 UTC · Source

Proof of concept available

Recorded 2024-11-22 07:52:11 UTC · Source

SSVC decision points

Exploitation
active
Automatable
Yes
Technical impact
total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CISA Nov 18, 2024
Tenable Blog Jun 02, 2026

Scanner integrations

Scanner Reference Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/panos_management_unauth_rce.rb Apr 28, 2025
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-0012.yaml Apr 25, 2025

Recent mentions

Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect

Tenable Blog · May 27, 2026

Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploitation, and organizational risk.Key takeawaysThe "patch everything" strategy is dead: Vulnerability prioritization based on exploitation risk offers a path forward. A directed graph model linking 600+ threat actors to vulnerabilities in 7,800 customer environments reveals that 68% of organizations carry at least one CVE previously exploited by a named adversary, and 321 tracked threat groups can reach at least one customer environment through an active vulnerability. Prevalence of "Elite Arsenal" CVEs requires immediate attention: The 242 "Elite Arsenal" CVEs — those meeting all three criteria of critical VPR (≥ 9), CISA KEV listing, and documented threat group exploitation — are nearly universally present across the studied customer base, with 241 of 242 actively detected. More than half are five or more years old, and 78% of the persistently exploited core are simultaneously weaponized by nation-state APTs, commodity malware operators, and ransomware gangs. Non-CVE exposures are universally dangerous: Non-CVE exposures, including misconfigurations, weak credentials, and end-of-life software, are present in virtually 100% of studied organizations, with 60% carrying at least one that maps to a tracked threat actor's preferred techniques. Preliminary modeling suggests these exposures may confer more breach risk than CVE-linked findings, yet no industry-standard scoring infrastructure exists to prioritize them.While the first two posts in this blog series documented the accelerating vulnerability flood and the widening remediation gap, today we answer the outstanding question: Where do these forces actually collide inside customer environments? Using a directed graph model that maps more than 600 tracked threat groups to vulnerabilities observed across 7,800 organizations,...

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

TalatumLabs/CVE-2024-0012_CVE-2024-9474_PoC

github · Created 2024-12-11 18:13:32 UTC · 3 stars

This PoC is targeting vulnerabilities in Palo Alto PAN-OS, specifically CVE-2024-0012 and CVE-2024-9474. This script automates the exploitation process, including payload creation, chunked delivery, and seamless command execution.

0xjessie21/CVE-2024-0012

github · Created 2024-11-30 16:06:02 UTC · 1 stars

CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) RCE POC

iSee857/CVE-2024-0012-poc

github · Created 2024-11-22 07:52:11 UTC · 2 stars

CVE-2024-0012批量检测脚本

Sachinart/CVE-2024-0012-POC

github · Created 2024-11-19 11:30:25 UTC · 19 stars

CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) RCE POC

Timeline

  • CVE ID Reserved

  • Added to KEVIntel

  • CVE Published to Public

  • Proof of Concept Exploit Available

  • Detected by Nuclei

  • Detected by Metasploit

  • Exploit Used in Malware

  • Added to KEVIntel