CVE-2024-9471: 
PAN-OS vulnerability analysis and mitigation

A privilege escalation (PE) vulnerability exists in the XML API of Palo Alto Networks PAN-OS software that enables an authenticated PAN-OS administrator with restricted privileges to use a compromised XML API key to perform actions as a higher privileged PAN-OS administrator beyond what the XML API permits. The vulnerability affects PAN-OS versions 9.0, 9.1, 10.1 (versions before 10.1.11), 10.2 (versions before 10.2.8), and 11.0 (versions before 11.0.3) (Palo Advisory).

The vulnerability has been assigned a CVSS v4.0 Base Score of 5.1 (MEDIUM) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Green. The vulnerability is classified under CWE-269 (Improper Privilege Management). The issue is only applicable to PAN-OS configurations that have XML API access enabled (Palo Advisory, NVD).

When exploited, this vulnerability allows an administrator with restricted privileges (such as "Virtual system administrator (read-only)") to perform actions beyond their intended access level. For example, they could perform write operations on the virtual system configuration even though they should be limited to read-only operations (NVD).

The vulnerability has been fixed in PAN-OS versions 10.1.11, 10.2.8, 11.0.3, and all later PAN-OS versions. As a mitigation measure, organizations should follow the Administrative Access Best Practices in the PAN-OS technical documentation. Additionally, it's important to note that XML API keys are not meant to be shared between users, as each key is associated with a specific user (Palo Advisory).