CriticalCISA KEVExploited in the wildPublic exploit

Remote Code Execution in Palo Alto Networks PAN-OS Management Interface

IdentifiersCVE-2017-15944CWE-94

CVE-2017-15944 is a remote code execution vulnerability affecting Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6. According to the provided content, the flaw allows remote attackers to execute arbitrary code via vectors involving the PAN-OS management interface. The specific vulnerable function or code path is not provided in the supplied material, so more granular root-cause detail is currently not available.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote attacker to execute arbitrary code on the affected PAN-OS device through the management interface. This can result in full compromise of the firewall or management plane, enabling unauthorized administrative actions, access to sensitive configuration and credential material, disruption of security services, and potential use of the device as a pivot point for further intrusion activity.

Mitigation

If you can’t patch tonight, do this now.

Restrict exposure of the PAN-OS management interface to trusted administrative networks only, prevent direct Internet access to the management plane, and apply network-layer access controls to limit who can reach the interface. If immediate patching is not possible, minimize management-interface exposure and monitor for suspicious access or exploitation attempts targeting PAN-OS management services. The supplied content does not provide further vendor-specific mitigations.

Remediation

Patch, then assume compromise.

Upgrade PAN-OS to a fixed release: 6.1.19 or later, 7.0.19 or later, 7.1.14 or later, or 8.0.6 or later, as applicable to the deployed branch. Because the provided content does not include vendor-specific workaround guidance beyond affected/fixed versions, additional remediation detail is currently not available.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 1 / 2 TOTALView more in app

CVE-2017-15944-POCMaturityPoCVerified exploit

This repository contains a proof-of-concept (POC) exploit for CVE-2017-15944, a remote root code execution vulnerability in Palo Alto Networks PAN-OS firewalls. The repository consists of a Python script (panos-poc.py) and a README file. The script takes a target URL (HTTP or HTTPS) as input, sends crafted requests to the /esp/cms_changeDeviceContext.esp endpoint to attempt exploitation, and then checks the /php/utils/debug.php endpoint for the presence of a 'Debug Console' string as an indicator of successful exploitation. The exploit is network-based and targets accessible PAN-OS devices. The code is a POC and does not provide a full shell or advanced payload, but demonstrates the vulnerability and verifies its presence.

xxnbyyDisclosed Dec 19, 2017pythonnetwork

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

PaloaltonetworksPan-Osoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

virusbulletinNews

May 26, 2026

A Palo Alto PAN-OS remote code execution vulnerability for which UNC3569 downloaded scanner/exploit tooling.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2017-15944

NVD

nvd.nist.gov/vuln/detail/CVE-2017-15944

MITRE CWE · CWE-94

cwe.mitre.org

Vendor Advisory

security.paloaltonetworks.com/CVE-2017-15944

Third Party Advisory

exploit-db.com/exploits/43342

Third Party Advisory

exploit-db.com/exploits/44597

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-15944