Cyber Resilience

CVE-2022-0028

HighCISA KEVActive ExploitationEUVD Exploited

Published: 10 August 2022

Published
10 August 2022
Modified
04 November 2025
KEV Added
22 August 2022
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0468 89.6th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-0028 is a high-severity Network Amplification (CWE-406) vulnerability in Paloaltonetworks Pan-Os. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 10.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-5 (Denial-of-service Protection).

Deeper analysis

A PAN-OS URL filtering policy misconfiguration affects PA-Series hardware, VM-Series virtual, and CN-Series container firewalls running PAN-OS. The flaw enables a network-based attacker to trigger reflected and amplified TCP denial-of-service attacks that appear to originate from the firewall itself when a URL filtering profile containing one or more blocked categories is assigned to a source zone with an external-facing interface. This configuration is described as atypical and likely unintended. The issue does not affect Panorama appliances, Cloud NGFW, or Prisma Access customers.

An unauthenticated network attacker can exploit the condition to direct amplified TCP traffic toward an arbitrary target, implicating the firewall as the attack source and thereby obfuscating the true origin. The attack has no impact on the confidentiality, integrity, or availability of the firewall itself.

Palo Alto Networks states that software fixes were scheduled for release no later than the week of 15 August 2022. The vendor has already resolved the issue for all Cloud NGFW and Prisma Access deployments, requiring no further customer action in those environments. The vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog.

EPSS scores have remained low, with a current value of 0.0468 and a peak of 0.0481.

EU & UK References

Vulnerability details

A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall…

more

against an attacker-specified target. To be misused by an external attacker, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a source zone that has an external facing interface. This configuration is not typical for URL filtering and, if set, is likely unintended by the administrator. If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack. We have taken prompt action to address this issue in our PAN-OS software. All software updates for this issue are expected to be released no later than the week of August 15, 2022. This issue does not impact Panorama M-Series or Panorama virtual appliances. This issue has been resolved for all Cloud NGFW and Prisma Access customers and no additional action is required from them.

CWE(s)
KEV Date Added
22 August 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

paloaltonetworks
pan-os
10.0.11, 10.1.6, 10.2.2, 8.1.23, 9.0.16 · 8.1.0 — 8.1.23 · 9.0.0 — 9.0.16 · 9.1.0 — 9.1.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces secure configuration settings that prevent assignment of URL filtering profiles with blocked categories to externally facing source zones.

prevent

Requires denial-of-service protection mechanisms that block the firewall from being abused as a reflector/amplifier for TCP traffic.

prevent

Implements boundary protection rules that restrict how traffic entering external interfaces can trigger reflected responses.

References