Palo Alto Networks Security Advisories / CVE-2016-3654

CVE-2016-3654 Command Injection in Command Line Interface

Severity 7.2 · HIGH
Attack Vector NETWORK
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required HIGH
Integrity Impact HIGH
User Interaction NONE
Availability Impact HIGH


Palo Alto Networks firewalls implement a command line interface for interactive configuration through a serial interface or a remote SSH session. An issue was identified that can cause incorrect parsing of a specific SSH command parameter, leading to arbitrary command execution on the OS level. This vulnerability requires successful authentication but can be used to execute OS commands with root privileges if the logged on user has administrative privileges. (Ref #89706) (CVE-2016-3654)

This vulnerability is exploitable only by authenticated administrators that are granted access to the device management CLI.

This issue affects PAN-OS releases 5.0.17 and prior; 5.1.10 and prior; 6.0.12 and prior; 6.1.9 and prior; 7.0.5 and prior

Product Status

PAN-OS 7.0<= 7.0.5>= 7.0.5H2
PAN-OS 6.1<= 6.1.9>= 6.1.10
PAN-OS 6.0<= 6.0.12>= 6.0.13
PAN-OS 5.1<= 5.1.10>= 5.1.11
PAN-OS 5.0<= 5.0.17>= 5.0.18

Severity: HIGH

CVSSv3.1 Base Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Weakness Type

CWE-20 Improper Input Validation


PAN-OS releases 5.0.18 and newer; 5.1.11 and newer; 6.0.13 and newer; 6.1.10 and newer; 7.0.5H2 and newer

Workarounds and Mitigations

This issue only affects authenticated device users and Panorama users with CLI access enabled. Deployments making use of Role-Based Access Control (RBAC) do not offer CLI access by default. As a best practice, CLI access should be carefully considered, and granted only when necessary to privileged administrators.


Felix Wilhelm, ERNW Research
© 2024 Palo Alto Networks, Inc. All rights reserved.