Get supportSecurity advisories
Report vulnerabilities
Palo Alto Networks Security Advisories / CVE-2019-17437

CVE-2019-17437 PAN-OS: Custom-role users may escalate privileges

Severity 7.8 · HIGH
Attack Vector LOCAL
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH
Published: 2019-12-04
Updated: 2019-12-04
Ref#: PAN-115697 PAN-SA-2019-0038


An improper authentication check in Palo Alto Networks PAN-OS may allow an authenticated low privileged non-superuser custom role user to elevate privileges and become superuser.

This issue affects PAN-OS 7.1 versions prior to 7.1.25; 8.0 versions prior to 8.0.20; 8.1 versions prior to 8.1.11; 9.0 versions prior to 9.0.5.

PAN-OS version 7.0 and prior EOL versions have not been evaluated for this issue.

Product Status


7.1< 7.1.25>= 7.1.25
8.0< 8.0.20>= 8.0.20
8.1< 8.1.11>= 8.1.11
9.0< 9.0.5>= 9.0.5

Releases <= 7.0 have not been evaluated.

Required Configuration

This issue only affects devices configured with a low privileged custom role user with any combination of roles or privileges.

Severity: HIGH

CVSSv3.1 Base Score: 7.8 ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H )


This issue has been resolved in 7.1.25, 8.0.20, 8.1.11, 9.0.5 and all subsequent versions.

Workarounds and Mitigations

Remove any untrusted custom-role users from the device or disable their access until fixes can be applied. Restrict access to the device to only trusted users.


  • Christophe Schleypen of NCIA / NCIRC
© 2020 Palo Alto Networks, Inc. All rights reserved.