Palo Alto Networks Security Advisories / CVE-2017-15940

CVE-2017-15940 Command Injection in PAN-OS

Severity 9.8 · CRITICAL
Attack Vector NETWORK
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required NONE
Integrity Impact HIGH
User Interaction NONE
Availability Impact HIGH


A vulnerability exists in the PAN-OS web interface packet capture management that could allow an authenticated user to inject arbitrary commands. (Ref # PAN-81892 / CVE-2017-15940)

PAN-OS contains a vulnerability that may allow for post authentication command injection

This issue affects PAN-OS 6.1.18 and earlier, PAN-OS 7.0.18 and earlier, PAN-OS 7.1.13 and earlier, PAN-OS 8.0.6 and earlier

Product Status

PAN-OS 8.0<= 8.0.6>= 8.0.6
PAN-OS 7.1<= 7.1.13>= 7.1.14
PAN-OS 7.0<= 7.0.18>= 7.0.19
PAN-OS 6.1<= 6.1.18>= 6.1.19


CVSSv3.1 Base Score:9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness Type

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')


PAN-OS 6.1.19 and later, PAN-OS 7.0.19 and later, PAN-OS 7.1.14 and later, PAN-OS 8.0.6-h3 and later

Workarounds and Mitigations

Palo Alto Networks has released content update 765 including vulnerability signatures #30998 that can be used as an interim mitigation to protect PAN-OS devices until the device software is upgraded. Note that signatures 30998 must be applied to a firewall rule securing traffic destined for the Management interface. This issue affects the management interface of the device and is strongly mitigated by following best practices for the isolation of management interfaces for security appliances. We recommend that the management interface be isolated and strictly limited only to security administration personnel through either network segmentation or using the IP access control list restriction feature within PAN-OS. An alternative mitigation includes the use of a Panorama central manager and disabling of http and https management on each of the vulnerable appliance, then use the Panorama context switching feature to remotely access the web interface of the device.


Palo Alto Networks would like to thank Won Lae Lee and Hwang, Gyu Won from Samsung for reporting this issue
© 2023 Palo Alto Networks, Inc. All rights reserved.