Priya PatelTLDR:
- Palo Alto Networks has disclosed a high-severity command injection vulnerability in its PAN-OS software.
- The vulnerability, tracked as CVE-2024-8686, allows authenticated administrators to execute arbitrary code with root privileges on the firewall.
Palo Alto Networks recently announced that a high-severity command injection vulnerability has been found in its PAN-OS software. This vulnerability, identified as CVE-2024-8686, affects PAN-OS version 11.2.2 and has been patched in version 11.2.3 and later releases. The vulnerability allows authenticated administrators to bypass system restrictions and execute arbitrary code with root privileges on the firewall. The company has assigned this vulnerability a CVSS v4.0 base score of 8.6, indicating a high severity. While Palo Alto Networks is not currently aware of any malicious exploitation of this issue, administrators are urged to upgrade to PAN-OS version 11.2.3 or later to address the vulnerability.
The vulnerability is classified as a CWE-78 weakness type, involving improper neutralization of special elements used in an OS command, commonly known as OS command injection. By exploiting this flaw, an authenticated administrator could potentially execute unauthorized commands on the underlying operating system of the firewall device. The company credited security researcher Louis Lingg for responsibly reporting and discovering the issue. This disclosure comes at a time of heightened concerns over the security of firewall devices, as they are crucial in protecting corporate networks from cyber threats. Palo Alto Networks had previously warned of a critical zero-day vulnerability (CVE-2024-3400) in its PAN-OS software in April 2024, which was actively exploited in the wild. As organizations rely more on firewalls to safeguard their digital assets, vendors must promptly address and patch vulnerabilities to minimize the risk of potential attacks. Administrators are advised to keep their PAN-OS software up to date and regularly monitor firewall devices for any signs of suspicious activity.
