CVE-2020-2038

PAN-OS: OS command injection vulnerability in the management web interface

CVSS 7.2 HIGHEPSS 86.1%CWE-78

An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts: PAN-OS 9.0 versions earlier than 9.0.10; PAN-OS 9.1 versions earlier than 9.1.4; PAN-OS 10.0 versions earlier than 10.0.1.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected products

Palo Alto Networks · PAN-OS

public PoCs found — 4

githubgithub.com/und3sc0n0c1d0/CVE-2020-2038★ 5 cve_referencepacketstormsecurity.com/files/168008/PAN-OS-10.0-Remote-Code-Execution.htmlunverified cve_referencepacketstormsecurity.com/files/168408/Palo-Alto-Networks-Authenticated-Remote-Code-Execution.htmlunverified exploitdbwww.exploit-db.com/exploits/51005unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/168008/PAN-OS-10.0-Remote-Code-Execution.html http://packetstormsecurity.com/files/168408/Palo-Alto-Networks-Authenticated-Remote-Code-Execution.html https://security.paloaltonetworks.com/CVE-2020-2038