Cyber Resilience

CVE-2024-3393

HighCISA KEVActive ExploitationEUVD Exploited

Published: 27 December 2024

Published
27 December 2024
Modified
04 November 2025
KEV Added
30 December 2024
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber
EPSS Score 0.7972 99.1th percentile
Risk Priority 85 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-3393 is a high-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Paloaltonetworks Pan-Os. Its CVSS base score is 8.7 (High).

Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-3393 is a denial-of-service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software. An unauthenticated attacker can trigger a firewall reboot by sending a specially crafted packet through the data plane; repeated triggering forces the device into maintenance mode. The flaw is tracked under CWE-754 and carries a CVSS 4.0 score of 8.7 reflecting network attack vector, no required privileges or user interaction, and high availability impact.

An unauthenticated remote attacker can exploit the issue without authentication by transmitting the malicious packet across the data plane. Successful exploitation results in an immediate device reboot; sustained attempts place the firewall into maintenance mode, disrupting traffic inspection and security services until manual recovery.

The official Palo Alto Networks advisory at security.paloaltonetworks.com/CVE-2024-3393 details affected PAN-OS versions and remediation steps, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The associated EPSS score has reached 0.7972, indicating substantial exploitation probability.

EU & UK References

Vulnerability details

A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger…

more

this condition will cause the firewall to enter maintenance mode.

CWE(s)
KEV Date Added
30 December 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

paloaltonetworks
pan-os
10.1.14, 10.2.10, 10.2.11, 10.2.12, 10.2.13 · 11.1.0 — 11.1.1 · 11.2.0 — 11.2.3
paloaltonetworks
prisma access
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires mechanisms to protect against or limit effects of DoS attacks such as the single malicious DNS Security packet that forces PAN-OS reboot.

prevent

Requires validation of inputs to reject malformed or exceptional DNS packets before they reach the vulnerable PAN-OS DNS Security processing path.

prevent

Mandates timely installation of vendor patches that eliminate the CWE-754 flaw in the PAN-OS DNS Security feature.

References