Palo Alto Networks Security Advisories / CVE-2021-3045

CVE-2021-3045 PAN-OS: OS Command Argument Injection in Web Interface

Severity 4.9 · MEDIUM
Attack Vector NETWORK
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required HIGH
Integrity Impact NONE
User Interaction NONE
Availability Impact NONE


An OS command argument injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to read any arbitrary file from the file system.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.19;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.14;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.10.

PAN-OS 10.0 and later versions are not impacted.

Product Status

PAN-OS 10.1None10.1.*
PAN-OS 10.0None10.0.*
PAN-OS 9.1< 9.1.10>= 9.1.10
PAN-OS 9.0< 9.0.14>= 9.0.14
PAN-OS 8.1< 8.1.19>= 8.1.19

Severity: MEDIUM

CVSSv3.1 Base Score: 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Weakness Type

CWE-88 Argument Injection or Modification


This issue is fixed in PAN-OS 8.1.19, PAN-OS 9.0.14, PAN-OS 9.1.10, and all later PAN-OS versions.

Workarounds and Mitigations

This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following best practices for securing the PAN-OS web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at


Palo Alto Networks thanks Brandon Vincent for discovering and reporting this issue.


Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.