[SingCERT] Critical RCE Vulnerability (CVE-2019-1579) in Palo Alto Gateway

Published on 23 Jul 2019

Updated on 07 Jan 2020



A critical remote code execution vulnerability (CVE-2019-1579) was found in Palo Alto GlobalProtect Portal and GlobalProtect Gateway interface products. CVE-2019-1579 is a pre-authentication format string vulnerability where it could be exploited by sending a specially crafted request to the vulnerable Secure Sockets Layer (SSL) Virtual Private Network (VPN) Gateway.

There have been reports of threat actors targeting organisations around the world by using this vulnerability.

Affected Versions

  • PAN-OS 7.1.18 and earlier
  • PAN-OS 8.0.11 and earlier
  • PAN-OS 8.1.2 and earlier


PAN-OS 9.0 and those that have GlobalProtect disabled, are not affected.




Successful exploitation of the vulnerability could allow an unauthenticated attacker to infiltrate the network and execute arbitrary code.




System administrators are advised to update their software to content release version 8173 or later immediately.


If it is not feasible to update the software immediately due to compliance issues, threat prevention should be enabled and enforced on traffic that passes through the GlobalProtect portal and GlobalProtect Gateway interface.