Palo Alto Networks Security Advisories / CVE-2024-0009

CVE-2024-0009 PAN-OS: Improper IP Address Verification in GlobalProtect Gateway

Severity 5.3 · MEDIUM
Response Effort LOW
Value Density DIFFUSE
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable NO
User Interaction NONE
Product Confidentiality NONE
Product Integrity LOW
Product Availability NONE
Privileges Required LOW
Subsequent Confidentiality LOW
Subsequent Integrity LOW
Subsequent Availability LOW


An improper verification vulnerability in the GlobalProtect gateway feature of Palo Alto Networks PAN-OS software enables a malicious user with stolen credentials to establish a VPN connection from an unauthorized IP address.

Product Status

Cloud NGFW NoneAll
PAN-OS 11.1NoneAll
PAN-OS 11.0< 11.0.1>= 11.0.1
PAN-OS 10.2< 10.2.4>= 10.2.4
PAN-OS 10.1NoneAll
PAN-OS 9.1NoneAll
PAN-OS 9.0NoneAll
Prisma Access NoneAll

Required Configuration for Exposure

This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect gateway enabled. You can verify whether you have a GlobalProtect gateway configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways).

Severity: MEDIUM

CVSSv4.0 Base Score: 5.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/AU:N/R:A/V:D/RE:L/U:Green)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-940 Improper Verification of Source of a Communication Channel


This issue is fixed in PAN-OS 10.2.4, PAN-OS 11.0.1, and all later PAN-OS versions.


Palo Alto Networks thanks Matthew Fong for discovering and reporting this issue.


Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.