Cj

**Name of the Vulnerable Software and Affected Versions** PAN-OS versions prior to 8.1.20-h1 PAN-OS versions prior to 9.0.14-h3 PAN-OS versions prior to 9.1.11-h2 PAN-OS versions prior to 10.0.8 PAN-OS versions prior to 10.1.3 **Description** An OS command injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator with permissions to use XML API the ability to execute arbitrary OS commands to escalate privileges. **Recommendations** For versions prior to 8.1.20-h1, update to PAN-OS 8.1.20-h1 or later. For versions prior to 9.0.14-h3, update to PAN-OS 9.0.14-h3 or later. For versions prior to 9.1.11-h2, update to PAN-OS 9.1.11-h2 or later. For versions prior to 10.0.8, update to PAN-OS 10.0.8 or later. For versions prior to 10.1.3, update to PAN-OS 10.1.3 or later.

**Name of the Vulnerable Software and Affected Versions** PAN-OS versions earlier than 8.1.20-h1 PAN-OS versions earlier than 9.0.14-h3 PAN-OS versions earlier than 9.1.11-h2 PAN-OS versions earlier than 10.0.8 PAN-OS versions earlier than 10.1.3 **Description** An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This issue enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges. The issue impacts Prisma Access customers with Prisma Access 2.1 Preferred or Prisma Access 2.1 Innovation firewalls. **Recommendations** For PAN-OS 8.1, update to version 8.1.20-h1 or later. For PAN-OS 9.0, update to version 9.0.14-h3 or later. For PAN-OS 9.1, update to version 9.1.11-h2 or later. For PAN-OS 10.0, update to version 10.0.8 or later. For PAN-OS 10.1, update to version 10.1.3 or later.

**Name of the Vulnerable Software and Affected Versions** PAN-OS versions earlier than 8.1.20-h1 PAN-OS versions earlier than 9.0.14-h3 PAN-OS versions earlier than 9.1.11-h2 PAN-OS versions earlier than 10.0.8 PAN-OS versions earlier than 10.1.3 Prisma Access 2.1 firewalls **Description** An OS command injection vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables an authenticated administrator with access to the CLI to execute arbitrary OS commands to escalate privileges. **Recommendations** For PAN-OS 8.1 versions earlier than 8.1.20-h1, update to PAN-OS 8.1.20-h1 or later. For PAN-OS 9.0 versions earlier than 9.0.14-h3, update to PAN-OS 9.0.14-h3 or later. For PAN-OS 9.1 versions earlier than 9.1.11-h2, update to PAN-OS 9.1.11-h2 or later. For PAN-OS 10.0 versions earlier than 10.0.8, update to PAN-OS 10.0.8 or later. For PAN-OS 10.1 versions earlier than 10.1.3, update to PAN-OS 10.1.3 or later. As a temporary workaround for Prisma Access 2.1 firewalls, consider restricting access to the CLI until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PAN-OS versions earlier than 8.1.20-h1 PAN-OS versions earlier than 9.0.14-h3 PAN-OS versions earlier than 9.1.11-h2 PAN-OS versions earlier than 10.0.8 PAN-OS versions earlier than 10.1.3 **Description** An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. **Recommendations** For PAN-OS 8.1, update to version 8.1.20-h1 or later. For PAN-OS 9.0, update to version 9.0.14-h3 or later. For PAN-OS 9.1, update to version 9.1.11-h2 or later. For PAN-OS 10.0, update to version 10.0.8 or later. For PAN-OS 10.1, update to version 10.1.3 or later. As a temporary workaround, consider restricting access to the GlobalProtect interfaces until a patch is available.