Palo Alto Networks Security Advisories / PAN-SA-2015-0006

PAN-SA-2015-0006 API key automatic revocation

Severity 2.2 · LOW
Attack Vector NETWORK
Attack Complexity HIGH
Confidentiality Impact NONE
Privileges Required HIGH
Integrity Impact LOW
User Interaction NONE
Availability Impact NONE


An issue has been identified in PAN-OS that prevents old management API keys for local administrator accounts from being invalidated upon password change until the device is rebooted. This issue can create a period of time during which an administrator changes the account password, thus creating a new API key, but the old API key is still valid until device reboot.

This issue affects the management interface of the device. Network security best practices suggest administering security devices from an out-of-band network, reducing the exposed attack surface.

This issue affects PAN-OS versions prior to PAN-OS 7.0.2 and PAN-OS 6.1.7

Product Status

PAN-OS 7.0<= 7.0.1>= 7.0.2
PAN-OS 6.1<= 6.1.6>= 6.1.7


CVSSv3.1 Base Score:2.2 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N)

Weakness Type


PAN-OS 7.0.2, PAN-OS 6.1.7 and subsequent releases.

Workarounds and Mitigations

This issue only affects local device administrator accounts, not remote accounts such as LDAP or RADIUS.  Administrators are advised to upgrade to PAN-OS 7.0.2 or 6.1.7 to correct the issue. As a mitigation for affected software versions, administrators may restart the management server of the device after administrator account password changes using the below cli command:

> debug software restart process management-server


Raul Garcia, Dell SecureWorks
© 2023 Palo Alto Networks, Inc. All rights reserved.