PAN-OS vulnerabilities add to a torrid year for enterprise software bugs

Positive Technologies researchers found four bugs in the popular enterprise software, some of them critical.
Palo Alto Networks
A Palo Alto Networks firewall. Four new vulnerabilities were found in the operating system that powers these appliances. (Flickr / <a href="">Johannes Weber</a>)

Cybersecurity researchers on Wednesday revealed four new vulnerabilities in enterprise software used by thousands of companies around the world that, if exploited, could be used to steal data from internal networks.

The bugs in the PAN operating system (PAN-OS) made by Palo Alto Networks add to a growing list of vulnerabilities in widely used corporate software that researchers have uncovered in 2020. Some of those vulnerabilities, such as a flaw in software made by Citrix, have been used in espionage and other hacking operations.

In the case of the PAN-OS flaws, which security firm Positive Technologies found, CyberScoop has not seen evidence that hackers have successfully exploited them. Palo Alto Networks released fixes for all of the vulnerabilities and told customers to apply them.

One of the more critical vulnerabilities could allow a hacker who first accesses the software’s management interface to plant malicious code in the operating system and obtain “maximum privileges” on the system, according to Positive Technologies researchers. Another bug could allow a hacker to take over the software by tricking an administrator to click on a malicious link.


Exploiting those flaws requires accessing the PAN-OS software’s “administrative panel,” a sort of skeleton key for enterprise software. Many organizations house that panel on their internal networks. However, some organizations make it externally accessible, heightening their security risk, said Positive Technologies researcher Mikhail Klyuchnikov.

The string of vulnerabilities found in corporate software this year has prompted warnings from U.S. government agencies, and left some analysts wondering if there’s an underlying problem in coding practices in the industry. And concerns about the software flaws have only been heightened because of companies’ increased reliance on telework during the coronavirus pandemic.

The Department of Homeland Security and U.S. Cyber Command in July urged organizations to update their software to address another vulnerability in PAN-OS. Cyber Command said then that foreign government-linked hackers would soon try to exploit the vulnerability. That same month, researchers found a vulnerability in applications made by software giant SAP that they said affected up to 40,000 SAP customers.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts