Executive Summary

A critical Denial of Service (DoS) vulnerability, identified as CVE-2024-3393, has been disclosed and is actively exploited in the wild, targeting Palo Alto Networks firewalls running vulnerable versions of PAN-OS. This flaw enables unauthenticated remote attackers to send specially crafted DNS packets that can force affected firewalls to reboot or enter maintenance mode, effectively disabling all network security controls and exposing organizations to significant risk. The vulnerability specifically impacts devices with the DNS Security feature enabled and DNS Security logging active. Multiple security advisories from Palo Alto Networks, CISA, and leading threat intelligence providers confirm ongoing exploitation and urge immediate mitigation. Organizations relying on Palo Alto Networks firewalls for perimeter defense must act swiftly to patch or mitigate this vulnerability to prevent catastrophic loss of network protection.

Technical Information

CVE-2024-3393 is a high-severity vulnerability (CVSS 8.7) affecting the data plane of Palo Alto Networks PAN-OS when the DNS Security feature is enabled and DNS Security logging is active. The vulnerability arises from improper handling of exceptional conditions (CWE-754) and buffer overread scenarios (CAPEC-540) in the DNS Security inspection logic. An unauthenticated attacker can exploit this flaw by transmitting a specially crafted DNS packet through the firewall, which triggers a logic error, causing the device to reboot. Repeated exploitation can force the firewall into maintenance mode, rendering it non-operational and disabling all security enforcement.

The attack vector is network-based, requiring no authentication or user interaction, and the attack complexity is low. The vulnerability is present in both physical and virtual appliances, including PA-Series, VM-Series, CN-Series firewalls, and Prisma Access cloud firewalls, provided the DNS Security license (standard or advanced) is applied and DNS Security logging is enabled.

The affected PAN-OS versions are as follows: 11.2 versions prior to 11.2.3, 11.1 versions prior to 11.1.5, 10.2 versions from 10.2.8 up to but not including 10.2.14, and 10.1 versions from 10.1.14 up to but not including 10.1.15. Prisma Access deployments running versions from 10.2.8 up to but not including 11.2.3 are also vulnerable.

The vulnerability is triggered when the firewall inspects DNS traffic and attempts to log DNS Security events. The crafted DNS packet exploits a logic flaw in the logging mechanism, causing a crash in the data plane process. This results in an immediate reboot of the firewall. If the attack is repeated, the device may enter maintenance mode, which disables all security policies and leaves the network perimeter unprotected.

Detection of exploitation can be challenging, as the primary symptoms are unexpected firewall reboots, entry into maintenance mode, and loss of network protection. DNS Security logs may show abnormal or malformed DNS packet activity immediately prior to the crash. Administrators can use the PAN-OS CLI command show config merged | match log-level to determine if DNS Security logging is enabled; any log-level other than "none" indicates exposure.

Exploitation in the Wild

Exploitation of CVE-2024-3393 was first publicly disclosed on December 26, 2024, by Censys, with confirmation from Palo Alto Networks and CISA. The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation by threat actors. Observed activity includes widespread scanning and targeted attacks against exposed PAN-OS devices. Censys reported over 271,000 exposed PAN-OS devices online, with approximately 40% located in the United States. Shadowserver tracked nearly 6,000 exposed Palo Alto Networks firewalls at the time of reporting.

Multiple organizations have reported unexpected firewall reboots and loss of network protection, consistent with exploitation of this vulnerability. While no public proof-of-concept (PoC) exploit code has been released, the technical simplicity of the attack and the lack of authentication requirements have enabled rapid weaponization by malicious actors. The exploitation is opportunistic and widespread, targeting any vulnerable device accessible over the internet.

APT Groups using this vulnerability

As of this report, no specific Advanced Persistent Threat (APT) group or named threat actor has been publicly attributed to the exploitation of CVE-2024-3393. The attack technique aligns with MITRE ATT&CK technique T1499 (Endpoint Denial of Service), which is commonly leveraged by both state-sponsored and financially motivated actors to disrupt network operations. The lack of attribution does not diminish the risk, as the vulnerability is being exploited in the wild by a range of threat actors, including those with the capability to pivot from denial-of-service to more sophisticated attacks once perimeter defenses are disabled.

Affected Product Versions

The following Palo Alto Networks products and versions are affected by CVE-2024-3393: PA-Series, VM-Series, and CN-Series firewalls running PAN-OS 11.2 versions prior to 11.2.3, 11.1 versions prior to 11.1.5, 10.2 versions from 10.2.8 up to but not including 10.2.14, and 10.1 versions from 10.1.14 up to but not including 10.1.15. Prisma Access deployments running versions from 10.2.8 up to but not including 11.2.3 are also vulnerable. The exposure requires that the DNS Security license (standard or advanced) is applied and DNS Security logging is enabled. Devices without DNS Security enabled or with DNS Security logging set to "none" are not affected.

Workaround and Mitigation

Immediate patching is the most effective mitigation. Palo Alto Networks has released fixed versions: PAN-OS 10.1.15, 10.2.14, 11.1.5, 11.2.3, and all later versions. Organizations should prioritize upgrading all affected devices to these versions or later.

If patching cannot be performed immediately, a temporary workaround is to disable DNS Security logging. This can be achieved by setting the log severity to "none" for all DNS Security categories in custom Anti-Spyware profiles. For Prisma Access customers, an expedited upgrade can be requested via a support case. It is important to note that disabling DNS Security logging may block DNS traffic without generating logs, which can impact visibility into DNS-based threats and hinder incident response efforts.

Administrators should also monitor for signs of exploitation, including unexpected firewall reboots, entry into maintenance mode, and loss of network protection. Reviewing DNS Security logs for abnormal or malformed DNS queries prior to device crashes can provide additional indicators of compromise.

References

Palo Alto Networks Security Advisory – CVE-2024-3393: https://security.paloaltonetworks.com/CVE-2024-3393 NVD Entry – CVE-2024-3393: https://nvd.nist.gov/vuln/detail/CVE-2024-3393 Censys Advisory – CVE-2024-3393: https://censys.com/advisory/cve-2024-3393 BleepingComputer: Palo Alto Networks warns of DoS bug letting hackers disable firewalls: https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-dos-bug-letting-hackers-disable-firewalls/ CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog Shadowserver Exposure Data: https://www.shadowserver.org/ MITRE ATT&CK T1499: https://attack.mitre.org/techniques/T1499/

Rescana is here for you

Rescana is committed to helping organizations proactively manage third-party and supply chain cyber risk. Our advanced TPRM platform empowers security teams to continuously monitor, assess, and mitigate vulnerabilities across their digital ecosystem. While this advisory focuses on a specific vulnerability in Palo Alto Networks products, the broader challenge of managing exposure to rapidly evolving threats requires a holistic, automated, and intelligence-driven approach. Our team of experts is available to support your organization in understanding, prioritizing, and remediating cyber risks. We are happy to answer any questions at ops@rescana.com.