Palo Alto Networks Security Advisories / CVE-2019-1575

CVE-2019-1575 Information Disclosure in PAN-OS Management API Usage

Severity 8.8 · HIGH
Attack Vector NETWORK
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required LOW
Integrity Impact HIGH
User Interaction NONE
Availability Impact HIGH


An Information Disclosure vulnerability exists in PAN-OS Management API usage (Ref # PAN-107239 and PAN-118869 / CVE-2019-1575)

Successful exploitation may allow for an authenticated user with read-only privileges to extract the API key of the device and the username/password from the XML API (in PAN-OS) and possibly escalate privileges granted to them.

This issue affects PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier.

Product Status

PAN-OS 9.0<= 9.0.2>= 9.0.2
PAN-OS 8.1<= 8.1.8-h4>= 8.1.8
PAN-OS 8.0<= 8.0.18>= 8.0.19
PAN-OS 7.1<= 7.1.23>= 7.1.24


CVSSv3.1 Base Score:8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Weakness Type

CWE-200 Information Exposure


PAN-OS 7.1.24 and later, PAN-OS 8.0.19 and later, PAN-OS 8.1.8-h5 and later, and PAN-OS 9.0.2-h4 and later.

Workarounds and Mitigations

Please see the detailed FAQ here:


Palo Alto Networks would like to thank Bartłomiej Stasiek of ING Tech Poland, Ruben Jacobi of ON2IT Group, Michael E. Davis - University of Arkansas, and Alycia N. Carey - University of Arkansas for reporting this issue.
© 2023 Palo Alto Networks, Inc. All rights reserved.