{"document":{"category":"csaf_vex","csaf_version":"2.1","notes":[{"category":"summary","text":"Palo Alto Networks PSIRT provided VEX document. This document is autogenerated.","title":"PAN-OS on PA-7000 Series: Improper restriction of communication to Log Forwarding Card (LFC) allows root access"}],"publisher":{"category":"vendor","name":"Palo Alto Networks","namespace":"https://security.paloaltonetworks.com"},"title":"Palo Alto Networks PSIRT provided VEX document: CVE-2019-17440","distribution":{"text":"Copyright © 2024 Palo Alto Networks. All rights reserved.","tlp":{"label":"CLEAR","url":"https://www.first.org/tlp/"}},"tracking":{"current_release_date":"2026-04-11T00:53:15.411Z","generator":{"date":"2026-04-11T00:53:15.411Z","engine":{"name":"Vulnogram","version":"0.0.9"}},"id":"CVE-2019-17440","initial_release_date":"2019-12-19T19:35:00.000Z","revision_history":[{"number":"1","date":"2026-04-10T17:53:15.000Z","summary":"Initial release"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"name":"Palo Alto Networks","category":"vendor","branches":[]}]},"vulnerabilities":[{"cve":"CVE-2019-17440","product_status":{"fixed":["PANW-PAN-OS-343"],"known_affected":["PANW-PAN-OS-342"],"known_not_affected":["PANW-PAN-OS-344","PANW-PAN-OS-345"]},"notes":[{"category":"description","text":"Improper restriction of communications to Log Forwarding Card (LFC) on PA-7000 Series devices with second-generation Switch Management Card (SMC) may allow an attacker with network access to the LFC to gain root access to PAN-OS.\nThis issue affects PAN-OS 9.0 versions prior to 9.0.5-h3 on PA-7080 and PA-7050 devices with an LFC installed and configured.\nThis issue does not affect PA-7000 Series deployments using the first-generation SMC and the Log Processing Card (LPC).\nThis issue does not affect any other PA series devices.\nThis issue does not affect devices without an LFC.\nThis issue does not affect PAN-OS 8.1 or prior releases.\nThis issue only affected a very limited number of customers and we undertook individual outreach to help them upgrade. At the time of publication, all identified customers have upgraded SW or content and are not impacted."}],"references":[{"category":"external","summary":"NVD - CVE-2019-17440","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-17440"},{"category":"self","summary":"Palo Alto Networks Security Advisory CVE-2019-17440","url":"https://security.paloaltonetworks.com/CVE-2019-17440"}],"threats":[{"category":"impact","description":"Improper restriction of communications to Log Forwarding Card (LFC) on PA-7000 Series devices with second-generation Switch Management Card (SMC) may allow an attacker with network access to the LFC to gain root access to PAN-OS.\nThis issue affects PAN-OS 9.0 versions prior to 9.0.5-h3 on PA-7080 and PA-7050 devices with an LFC installed and configured.\nThis issue does not affect PA-7000 Series deployments using the first-generation SMC and the Log Processing Card (LPC).\nThis issue does not affect any other PA series devices.\nThis issue does not affect devices without an LFC.\nThis issue does not affect PAN-OS 8.1 or prior releases.\nThis issue only affected a very limited number of customers and we undertook individual outreach to help them upgrade. At the time of publication, all identified customers have upgraded SW or content and are not impacted."}],"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":10,"baseSeverity":"CRITICAL"},"products":["PANW-PAN-OS-342"]}]}]}