Cisco Released Emergency Patch for Vulnerabilities in its Firewall Products
Cisco Released Emergency Patch
Continue ReadingFirewall
SonicWall SSLVPN Vulnerability Allows Remote Attackers to Crash Firewalls
Summary : A security flaw was discovered in SonicWall’s SonicOS SSLVPN component, affecting both hardware and virtual firewall appliances across Gen7 and Gen8 product lines.
| OEM | SonicWall |
| Severity | High |
| CVSS Score | 7.5 |
| CVEs | CVE-2025-40601 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The SonicWall vulnerability allows remote attackers, without any authentication, to crash into affected firewalls by sending specially crafted traffic to the SSLVPN service. There are no public exploitation in the wild but it is strongly advised customers to apply the available patches immediately to minimize risk.
In simple terms, the component fails to validate the size or structure of certain data before copying it to a stack‐allocated buffer. Under malicious input, the overflow can overwrite the stack, leading the firewall device to crash.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Stack-based buffer overflow in SonicOS SSLVPN service | CVE-2025-40601 | SonicWall SonicOS Firewalls (Gen7 and Gen8 Hardware and Virtual) | High | 7.3.1-7013 (Gen7), 8.0.3-8011 (Gen8) and latest one |
Technical Summary
The vulnerability occurs due to a stack-based buffer overflow affecting the SSLVPN service of SonicOS. Devices with the SSLVPN interface enabled are vulnerable.
This flaw permits remote unauthenticated attackers to trigger a denial-of-service condition, leading to a full firewall crash and service outage.
The problem impacts a wide range of SonicWall firewall models including Gen7 (TZ270, NSa 2700 series etc) and Gen8 (TZ280, NSa 2800 series etc). Administrators are urged to upgrade to the latest versions and restrict SSLVPN access to trusted IPs or disable external-facing SSLVPN portals until remediation is complete.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-40601 | SonicWall SonicOS SSLVPN service | Stack-based buffer overflow allows remote unauthenticated attackers to send crafted requests causing a denial-of-service crash of the firewall. Only devices with SSLVPN enabled are vulnerable. | Remote denial-of-service |
Recommendations
Update SonicWall immediately to the following fixed versions:
- Gen7 Hardware Firewalls: 7.3.1-7013 and higher versions
- Gen7 Virtual Firewalls : 7.3.1-7013 and higher versions
- Gen8 Firewalls: 8.0.3-8011 and higher.
You can follow some below workaround here
- Temporarily disable the SSLVPN service if possible or restrict SSLVPN access only to trusted source IP addresses.
- Avoid exposing the SSLVPN service to untrusted internet sources until patched.
- Continuously monitor firewall and network logs for unusual SSLVPN activity or connection attempts that might indicate probing or exploitation attempts.
Conclusion:
There has no evidence of active exploitation for this vulnerability, but the issue makes unpatched firewalls highly attractive targets for threat actors capable of causing major network outages.
Organizations relying on SonicWall should prioritize applying the latest patches and review their SSLVPN exposure as part of broader incident prevention. For those unable to patch immediately, restricting or disabling external SSLVPN access is strongly recommended until fixes can be deployed.
References:
CISA Warns Critical Cisco Firewall Vulnerabilities Under Active Exploitation
4 Actively exploited Zero-days affecting millions of devices,. This include 3 targeted by Nation-state actor “ArcaneDoor”.
Security Advisory: Cisco has released critical security updates to address two zero-day vulnerabilities referring to CVE-2025-20333 and CVE-2025-20362 in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software.
CISA has also added in their KEV catalog and including additional actions tailored to each agency’s status in Emergency Directive ED 25-03 document.
CISA said ‘”The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution [RCE] on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade,”.
CISA has reported that an advanced threat actor ArcaneDoor, threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024. These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower appliances’ Secure Boot would detect the identified manipulation of the ROM.
| Severity | Critical |
| CVSS Score | 9.9 |
| CVEs | CVE-2025-20333, CVE-2025-20362 |
| POC Available | No |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.1 |
Overview
The flaws discovered are actively exploited in the wild which allow attackers to execute arbitrary code or access restricted endpoints without authentication. Admins are urged to immediately apply Cisco’s fixed releases to mitigate these actively exploited zero-day vulnerabilities
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Buffer Overflow Vulnerability | CVE-2025-20333 | Cisco Secure Firewall Adaptive Security Appliance (ASA), Cisco Secure Firewall Threat Defense (FTD) | Critical | Update to the latest version |
| Missing Authorization Vulnerability | CVE-2025-20362 | Cisco Secure Firewall Adaptive Security Appliance (ASA), Cisco Secure Firewall Threat Defense (FTD) | Medium | Update to the latest version |
Technical Summary
Cisco has released security updates to address multiple vulnerabilities in the VPN web server of Secure Firewall ASA and FTD Software.
The most severe issue is a critical remote code execution vulnerability that could allow an authenticated attacker with valid VPN credentials to send specially crafted HTTP(S) requests and execute arbitrary code with root-level privileges, potentially resulting in full compromise of the affected device and control of its operations.
In addition, a medium-severity vulnerability was identified that could enable unauthenticated attackers to bypass access controls and access restricted web resources without authentication, potentially exposing sensitive information or limited administrative functions.
Both vulnerabilities are caused by improper validation of user-supplied HTTP(S) input, making them exploitable over the network.
Cisco has confirmed that there are no workarounds available, and administrators are strongly advised to upgrade to the fixed software versions immediately to ensure the security and integrity of their environments.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-20333 | Cisco Secure Firewall ASA Software, Cisco Secure FTD Software | Improper input validation in the VPN web server enables authenticated remote users to send crafted HTTP requests that allow arbitrary code execution with root privileges. | Remote Code Execution |
| CVE-2025-20362 | Cisco Secure Firewall ASA Software, Cisco Secure FTD Software | The VPN web server does not properly validate HTTP(S) user-supplied input. Attackers can exploit this by sending specially crafted requests to bypass authentication and access restricted URL endpoints. | Unauthorized access |
Recommendations:
- Install the fixed software releases for Cisco Secure Firewall ASA and FTD Software
- Use the Cisco Software Checker to identify the earliest fixed release for your software version.
- Navigate the device management interface (Cisco Secure Firewall Management Center or Device Manager) to apply updates.
- Restart devices after installation and ensure auto-updates are enabled.
- Review the Configure Threat Detection for VPN Services section in the Cisco Secure Firewall ASA Firewall CLI Configuration Guide to enable protection against VPN-related attacks.
Conclusion:
These vulnerabilities present a significant risk as they are actively being exploited in the wild and can lead to complete system compromise or unauthorized access to sensitive resources.
Since no workarounds are available, applying the latest Cisco security updates is the only effective remediation. Administrators should prioritize immediate patching across all affected devices to protect their environment from ongoing exploitation attempts and ensure continued resilience of critical firewall infrastructure.
References:
Pre-Auth Remote Code Execution Flaws Patched in Sophos Firewall
Summary : Sophos has resolved several critical security vulnerabilities in its Firewall products, the most severe vulnerability could allow remote code execution without authentication, potentially giving attackers full control over impacted systems.
| OEM | Sophos |
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-6704, CVE-2025-7624 |
| POC Available | No |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
To address the issue, the Sophos has issued hotfixes for five separate vulnerabilities. Two of these are rated as critical and present a serious threat to enterprise networks around the globe.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Arbitrary file writing vulnerability in Secure PDF eXchange (SPX) feature | CVE-2025-6704 | Sophos Firewall | Critical | SFOS 21.0 MR2 (21.0.2) and later |
| SQL injection vulnerability in legacy SMTP proxy | CVE-2025-7624 | Sophos Firewall | Critical | SFOS 21.0 MR2 (21.0.2) and later |
Technical Summary
The CVE-2025-6704 and CVE-2025-7624 are identified in Sophos Firewall versions prior to 21.0 MR2 (21.0.2), both with a CVSS v3.1 base score of 9.8, indicating critical severity.
The CVE-2025-6704 involves an arbitrary file writing vulnerability within the Secure PDF eXchange (SPX) feature.
SPX is enabled and the firewall operates in High Availability (HA) mode, attackers can exploit this flaw to execute arbitrary code remotely without authentication. This pre-authentication remote code execution can lead to full system compromise, affecting confidentiality, integrity and availability.
CVE-2025-7624 pertains to an SQL injection vulnerability in the legacy (transparent) SMTP proxy of Sophos Firewall. If a quarantining policy is active for email and the system was upgraded from a version older than 21.0 GA, this weakness could potentially allow remote code execution.
Exploitation of this flaw can lead to unauthorized access, manipulation of firewall configurations, and potential lateral movement within the network.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-6704 | v21.5 GA and older | A rare SPX feature flaw in HA mode can allow pre-auth remote code execution, affecting 0.05% of devices. | Pre-auth remote code execution (RCE) in Sophos Firewall SPX feature |
| CVE-2025-7624 | v21.5 GA and older | An SQL injection in the legacy SMTP proxy can enable remote code execution if email quarantine is active and SFOS was upgraded from pre-21.0 GA. It affects up to 0.73% of devices. | Remote code execution via SMTP proxy |
In addition to the Critical Severity vulnerabilities, two other High and one medium severity issues were addressed.
CVE-2025-7382 – Command Injection in WebAdmin Interface (CVSS 8.8)
A WebAdmin command injection flaw allows adjacent pre-auth code execution on HA auxiliary devices if admin OTP is enabled.
CVE-2024-13974 – Business Logic Vulnerability in Up2Date Component (CVSS 8.1)
A business logic flaw in Up2Date lets attackers control firewall DNS to enable remote code execution.
CVE-2024-13973 – Post-Auth SQLi Vulnerability in WebAdmin (CVSS 6.8)
A post-auth SQL injection in WebAdmin allows admins to execute arbitrary code.
Remediation:
Users should immediately update Sophos Firewall to the latest patched version:
- For CVE-2025-6704, CVE-2025-7624, CVE-2025-7382: Upgrade to Sophos Firewall 21.0 MR2 (21.0.2) or later.
- For CVE-2024-13974 and CVE-2024-13973: Upgrade to Sophos Firewall 21.0 MR1 (20.0.1) or later.
If you are not using the Secure PDF eXchange (SPX) feature or legacy SMTP proxy, consider disabling them until they are patched.
Users operating legacy versions prior to the supported range must upgrade their systems to receive these critical security protections and maintain adequate defense against potential exploitation attempts.
Conclusion:
In Sophos Firewalls that allow attackers to execute code remotely without logging in. Although only a small percentage of devices are affected, the flaws are serious.
Fortunately, Sophos quickly pushed automatic fixes, and no attacks have been seen so far. Users should verify their firewalls are fully updated and have auto update enabled to stay protected.
The impact scope for this vulnerability reaches up to 0.73% of deployed devices. Both critical vulnerabilities were discovered and responsibly disclosed through Sophos’ bug bounty program by external security researchers.
References:
Linux Kernel Exploitation in ksmbd (CVE-2025-37899) Discovered with AI Assistance
Summary: A high-severity use-after-free vulnerability (CVE-2025-37899) has been discovered in the ksmbd component of the Linux kernel, which implements the SMB3 protocol for file sharing.
| OEM | Linux |
| Severity | High |
| CVSS Score | N/A |
| CVEs | CVE-2025-37899 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The vulnerability, confirmed on May 20, 2025 which was uncovered through AI-assisted code analysis using OpenAI’s o3 model. It affects multiple versions of the Linux kernel and may lead to arbitrary code execution with kernel privileges. As of now, no official fix is available, but Linux distributions including SUSE team are actively working on patches.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| ksmbd use-after-free vulnerability | CVE-2025-37899 | Linux kernel | High |
Technical Summary
The vulnerability lies in the ksmbd kernel server component responsible for SMB3 protocol handling.
A use-after-free bug occurs when one thread processes a logoff command and frees the sess->user object, while another thread bound to the same session attempts to access the same object simultaneously. This results in a race condition that can lead to memory corruption and potentially enable attackers to execute arbitrary code with kernel privileges.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-37899 | Linux kernel (ksmbd) | A race condition during handling of SMB2 LOGOFF commands. sess->user is freed in one thread while still being accessed in another, leading to a classic use-after-free vulnerability. The absence of synchronization around sess->user allows attackers to exploit the freed memory during concurrent SMB operations. | Kernel memory corruption, privilege escalation, remote code execution |
Remediation:
- Fix status: As of now, an official fix has not been released. Linux distributions, including SUSE, are actively developing and testing patches.
General Recommendations
- Monitor your distribution’s security advisories and apply patches as soon as they are available.
- Consider disabling or restricting ksmbd (in-kernel SMB3 server) if not explicitly required.
- Use firewall rules to restrict access to SMB services to trusted networks.
- Employ kernel hardening options (e.g. memory protections, SELinux/AppArmor policies).
- Audit SMB traffic for signs of abnormal session setup and teardown behavior.
Conclusion:
CVE-2025-37899 highlights the increasing role of AI in modern vulnerability discovery and the complex nature of concurrency bugs in kernel components. While no fix is yet available, administrators should apply defense-in-depth strategies and watch for updates from their Linux vendors.
The discovery underscores the importance of rigorous code audits, especially in components exposed to network traffic and multithreaded processing.
References:
Critical Privilege Escalation Vulnerability in Motors WordPress Theme
Summary: A critical privilege escalation vulnerability (CVE-2025-4322) has been identified in the Motors WordPress theme, a widely used premium theme tailored for car dealerships, rentals, and vehicle listings.
| OEM | WordPress |
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-4322 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview This vulnerability affects versions up to 5.6.67 and could allow unauthenticated attackers to reset passwords for any user, including administrators, leading to complete site compromise. The issue has been addressed in version 5.6.68, and immediate patching is strongly recommended.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Privilege Escalation via Password Reset Bypass | CVE-2025-4322 | Motors WordPress Theme | Critical | 5.6.68 |
Technical Summary
The vulnerability arises from insufficient input validation in the Login Register widget of the Motors theme, specifically within the password-recovery.php template. An attacker can manipulate the hash_check parameter using an invalid UTF-8 character, which is improperly sanitized by the esc_attr() function. This allows the attacker to bypass password reset validations and change passwords without authorization, even for administrator accounts.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-4322 | Motors WordPress Theme (<= 5.6.67) | The password-recovery.php file fails to properly validate whether the stm_lost_password_hash exists and is correct. If the hash is empty (e.g. – no reset was requested), an attacker can bypass the check using an invalid UTF-8 character. The esc_attr() sanitization strips the invalid character after validation, resulting in a successful hash match and unauthorized password update. | Complete site compromise. |
Remediation:
- Immediately update: To mitigate the vulnerability, users of the Motors WordPress theme should immediately update to version 5.6.68 or later.
Conclusion:
CVE-2025-4322 is a critical privilege escalation vulnerability affecting over 22,000+ WordPress sites using the Motors theme.
Exploiting this flaw, unauthenticated attackers can reset administrator passwords and gain full control of vulnerable sites. The vulnerability was responsibly disclosed and swiftly addressed by the vendor, with a patched version (5.6.68) released.
Given the ease of exploitation and potential for full site compromise, users are strongly advised to update immediately.
Organizations relying on the Motors theme should also implement multi-layered security practices, such as web application firewalls, routine patching, and access monitoring, to safeguard their digital assets against similar threats in the future.
References:
Authentication Bypass Vulnerability in FortiOS & FortiProxy
Summary
A critical authentication bypass vulnerability [CWE-288] has been identified in FortiOS and FortiProxy, tracked as CVE-2025-24472 . This is affecting their affecting FortiOS and FortiProxy products and being exploited in the wild.
| OEM | Fortinet |
| Severity | Critical |
| CVSS | 9.6 |
| CVEs | CVE-2025-24472 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
This flaw, with the CVSSv3 score of 9.6, could allow a remote attacker to obtain super-admin privileges by sending specially crafted requests to the Node.js WebSocket module.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Authentication Bypass Vulnerability | CVE-2025-24472 | FortiOS FortiProxy | Critical | FortiOS v7.0 – v7.0.16 FortiProxy v7.0 – v7.0.19 FortiProxy v7.2 – v7.2.12 |
Technical Summary
| CVE ID | Vulnerability Details | Impact |
| CVE-2025-24472 | An authentication bypass using an alternate path (CWE-288) vulnerability in FortiOS and FortiProxy , present in certain versions, could enable a remote attacker to obtain super-admin privileges by sending requests to the Node.js websocket module or by crafting CSF proxy requests. | Execute unauthorized code or commands |
Recommendations:
- Update: Ensure that the appropriate patches or updates are applied to the relevant versions listed below
| Version | Fixes and Releases |
| FortiOS 7.0 – 7.0.16 | Upgrade to 7.0.17 or latest version |
| FortiProxy 7.0 – 7.0.19 | Upgrade to 7.0.20 or latest version |
| FortiProxy 7.2 – 7.2.12 | Upgrade to 7.2.13 or latest version |
Workarounds:
Below are some workarounds provided by the Fortinet team.
- Disable HTTP/HTTPS administrative interface
- Limit IP addresses that can reach the administrative interface via local-in policies
According to Fortinet, attackers exploit the two vulnerabilities to generate random admin or local users on affected devices, adding them to new and existing SSL VPN user groups. They have also been seen modifying firewall policies and other configurations and accessing SSLVPN instances with previously established rogue accounts “to gain a tunnel to the internal network.network.”
References:
Important Security Alert: SonicWall Issues Patch for SSL-VPN Vulnerabilities
SonicWall has released an Critical advisory urging administrators to address a critical vulnerability in its SSL-VPN product.
The flaw, identified as CVE-2024-53704, poses a significant security risk, allowing attackers to exploit the system remotely. Administrators are strongly encouraged to update their systems immediately to mitigate potential threats. SonicWall has released an Critical advisory urging administrators to address a critical vulnerability in its SSL-VPN product.
Key Details:
- The vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems.
- It impacts SonicWall’s SSL-VPN products, widely used for secure remote access.
- Exploitation of this bug could lead to severe consequences, including unauthorized access to sensitive data, network infiltration, and system compromise.
Summary
| OEM | SonicWall |
| Severity | High |
| CVSS | 8.2 |
| CVEs | CVE-2024-53704 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
The security flaw, tracked as CVE-2024-53704, presents a serious risk, enabling remote exploitation by attackers. Administrators are highly advised to apply the necessary patches without delay to protect against potential threats.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Improper Authentication | CVE-2024-53704 | SonicWall | High | 7.1.x (7.1.1-7058 and older), 7.1.2-7019 8.0.0-8035 |
| A privilege escalation vulnerability | CVE-2024-53706 | SonicWall | High | 7.1.x (7.1.1-7058 and older), 7.1.2-7019 |
| A weakness in the SSLVPN authentication token generator | CVE-2024-40762 | SonicWall | High | 7.1.x (7.1.1-7058 and older), 7.1.2-7019 |
| A server-side request forgery (SSRF) vulnerability | CVE-2024-53705 | SonicWall | Medium | 6.5.4.15-117n and older 7.0.x (7.0.1-5161 and older) |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-53704 | Gen7 Firewalls, Gen7 NSv, TZ80 | An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication. | Bypass authentication |
| CVE-2024-53706 | Gen7 Cloud Platform NSv | A vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only), allows a remote authenticated local low-privileged attacker to elevate privileges to `root` and potentially lead to code execution. | Allow attackers to gain root privileges and potentially execute code. |
| CVE-2024-40762 | Gen7 Firewalls, Gen7 NSv, TZ80 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass. | Weak PRNG in authentication tokens can lead to authentication bypass in SSLVPN. |
| CVE-2024-53705 | Gen6 Hardware Firewalls, Gen7 Firewalls, Gen7 NSv | A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall. | Allow attackers to establish TCP connections to arbitrary IP addresses and ports |
Remediation:
- Update: Impacted users are recommended to upgrade to the following versions to address the security risk:
| Firewalls Versions | Fixes and Releases |
| Gen 6 / 6.5 hardware firewalls | SonicOS 6.5.5.1-6n or newer |
| Gen 6 / 6.5 NSv firewalls | SonicOS 6.5.4.v-21s-RC2457 or newer |
| Gen 7 firewalls | SonicOS 7.0.1-5165 or newer; 7.1.3-7015 and higher |
| TZ80: SonicOS | SonicOS 8.0.0-8037 or newer |
Recommendations:
- Patch Without Delay: Install the latest firmware update from SonicWall to resolve this vulnerability. Detailed instructions are available in SonicWall’s official advisory.
- Monitor Network Activity: Regularly monitor network traffic for signs of suspicious or unauthorized access.
- Limit Access: Restrict VPN access to trusted users and enforce Multi-Factor Authentication (MFA) for all accounts.
- Stay Updated: Subscribe to SonicWall’s security alerts and updates to stay informed about upcoming vulnerabilities.
References:
Denial of Service Vulnerability in DNS Security Feature of Palo Alto Networks PAN-OS
Summary
| OEM | Palo Alto |
| Severity | High |
| CVSS | 8.7 |
| CVEs | CVE-2024-3393 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
A Denial-of-Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| (DoS) in DNS Security Using a Specially Crafted Packet | CVE-2024-3393 | Palo Alto | High | PAN-OS 11.2 – < 11.2.3* PAN-OS 11.1 – < 11.1.5* PAN-OS 10.2 – >= 10.2.8*, <10.2.14* PAN-OS 10.1 – >= 10.1.14*, <10.1.15* |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-3393 | Palo Alto PAN-OS | CVE-2024-3393 is a high-severity DoS vulnerability in Palo Alto Networks PAN-OS exists in the DNS Security feature, where malformed DNS packets are improperly parsed and logged. If exploited, this vulnerability enables an unauthenticated attacker to remotely trigger a firewall reboot. Repeated exploitation attempts can cause the firewall to enter maintenance mode. CISA added it to the KEV catalog, with patching required by January 20, 2025. | Dos – Denial-of-Service |
Remediation:
- Update: Ensure that the appropriate patches or updates are applied to the relevant PAN-OS versions as listed below
| PAN-OS Version | Fixes and Releases |
| PAN-OS 11.1 | 11.1.2-h16, 11.1.3-h13, 11.1.4-h7, 11.1.5 |
| PAN-OS 10.2 | 10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, 10.2.14 |
| PAN-OS 10.1 | 10.1.14-h8, 10.1.15 |
| PAN-OS 10.2.9-h19 | Only applicable to Prisma Access |
| PAN-OS 10.2.10-h12 | Only applicable to Prisma Access |
| PAN-OS 11.0 | No fix (reached end-of-life status on November 17, 2024) |
Recommendations:
- Avoid Using EOL Versions:
- PAN-OS 11.0 is end-of-life (EOL) as of November 17, 2024. Ensure that you are not using this version and upgrade to be supported versions.
- Monitoring & Incident Response:
- Regularly monitor firewall logs for unusual behavior, especially DoS triggers.
- For Prisma Access Users (Workaround):
- Disable DNS Security logging across all NGFWs if patching cannot be applied immediately. This can be done by opening a support case with Palo Alto Networks.
References:
Recent Comments