Palo Alto Networks Security Advisories / CVE-2021-3037

CVE-2021-3037 PAN-OS: Secrets for scheduled configuration exports are logged in system logs

Severity 2.3 · LOW
Attack Vector LOCAL
Attack Complexity LOW
Confidentiality Impact LOW
Privileges Required HIGH
Integrity Impact NONE
User Interaction NONE
Availability Impact NONE


An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs.

Logged information includes the cleartext username, password, and IP address used to export the PAN-OS configuration to the destination server.

Product Status

PAN-OS 10.0None>= 10.0.0
PAN-OS 9.1< 9.1.4>= 9.1.4
PAN-OS 9.0< 9.0.13>= 9.0.13
PAN-OS 8.1< 8.1.19>= 8.1.19

Required Configuration for Exposure

This issue is only applicable to PAN-OS devices that have been configured to use scheduled configuration exports at any time.

Severity: LOW

CVSSv3.1 Base Score: 2.3 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-534 Information Exposure Through Debug Log Files


This issue is fixed in PAN-OS 8.1.19, PAN-OS 9.0.13, PAN-OS 9.1.4, and all later PAN-OS versions.

After you upgrade the PAN-OS appliance, you must change the connection details used in scheduled configuration exports. You should also change the credentials on the destination server that are used to export the configuration.


This issue was found by a customer of Palo Alto Networks during a security review.


Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.