Palo Alto Warns of Critical Zero‑Day RCE in PAN‑OS User‑ID Portal

Palo Alto Networks issued an emergency advisory on Tuesday warning customers that a critical, as‑yet‑unpatched remote‑code‑execution (RCE) flaw in the PAN‑OS User‑ID Authentication Portal is being actively exploited in the wild. Tracked as CVE‑2024‑7456, the vulnerability carries a CVSS score of 9.8 and affects the web‑based management interface that translates user‑identity information into policy decisions. The flaw allows an unauthenticated attacker to send a specially crafted HTTP POST request to the portal, resulting in a buffer‑overflow that can be leveraged to execute arbitrary code with root privileges on the firewall appliance.

Technical analysis shows the bug resides in the XML parser of the User‑ID component that processes login or group‑mapping messages sent over the management port. By embedding shell meta‑characters in the userip field of a User‑ID XML request, an attacker can trigger a stack overflow that overwrites the return address, paving the way for a reverse shell or the deployment of a malicious payload. The vulnerable endpoint, https:///ssl/vpn/portal/, does not enforce proper input sanitization, enabling the exploit to be delivered without authentication. Proof‑of‑concept code has been observed on closed forums, and early indicators of compromise (IOCs) include inbound connections from IP 185.220.101.x and the creation of a hidden cron job at /etc/cron.d/palo‑upd.

Palo Alto has confirmed that at least one advanced persistent threat (APT) group, internally designated “StonePanda,” is leveraging the zero‑day in targeted attacks against defense and financial sectors. The group’s campaign uses spear‑phishing emails containing a malicious link that redirects to the compromised portal, where the exploit is automatically triggered. The malicious activity has been linked to lateral movement attempts using the firewall as a jump‑host to reach internal Active Directory servers.

In response, Palo Alto released hot‑fixes for the most recent maintenance releases: PAN‑OS 9.1.13, 10.0.9, 10.1.3, and 10.2.0. Until patches can be applied, administrators are urged to disable the User‑ID Authentication Portal for untrusted interfaces, restrict management access to a dedicated jump‑host, and enable the Threat Prevention signature 8795, which detects the exploit payload. Organizations should also audit logs for the presence of the IOCs and review any unexpected inbound connections to port 443 on firewall management interfaces.