Palo Alto Networks Security Advisories / CVE-2020-1999

CVE-2020-1999 PAN-OS: Threat signatures are evaded by specifically crafted packets

Severity 5.3 · MEDIUM
Attack Vector NETWORK
Attack Complexity LOW
Confidentiality Impact NONE
Privileges Required NONE
Integrity Impact LOW
User Interaction NONE
Availability Impact NONE


A vulnerability exists in the Palo Alto Network PAN-OS signature-based threat detection engine that allows an attacker to evade threat prevention signatures using specifically crafted TCP packets.

This CVE has no impact on the confidentiality and availability of PAN-OS. This issue does not let an attacker access resources blocked by firewall policies and it has no impact on the service availability. There could be an impact on the accuracy of firewall threat prevention with some signatures, but there is no impact on the integrity of other security features.

This issue impacts:

PAN-OS 8.1 versions earlier than 8.1.17;

PAN-OS 9.0 versions earlier than 9.0.11;

PAN-OS 9.1 versions earlier than 9.1.5;

All versions of PAN-OS 7.1 and PAN-OS 8.0.

Product Status

PAN-OS 10.0None10.0.*
PAN-OS 9.1< 9.1.5>= 9.1.5
PAN-OS 9.0< 9.0.11>= 9.0.11
PAN-OS 8.1< 8.1.17>= 8.1.17
PAN-OS 8.08.0.*
PAN-OS 7.17.1.*


CVSSv3.1 Base Score:5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-754 Improper Check for Unusual or Exceptional Conditions


This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, and all later PAN-OS versions.

Workarounds and Mitigations

There are no known workarounds for this issue.


This issue was found by Vijay Prakash of Palo Alto Networks during internal security review.


Initial publication
© 2023 Palo Alto Networks, Inc. All rights reserved.