If successfully exploited, an attacker gains unauthenticated code execution on the firewall itself, the device that enforces all network segmentation and access control for the protected environment. Full firewall compromise can render all downstream security controls ineffective, enabling lateral movement, data exfiltration, and sustained access with no visibility. Organizations in regulated industries whose PA-Series firewalls enforce perimeter controls around sensitive data environments face potential compliance violations and breach notification obligations in addition to operational disruption.
You Are Affected If
You operate PA-Series hardware firewalls or VM-Series firewalls running PAN-OS 10.2, 11.1, 11.2, or 12.1
DNS Proxy is enabled on one or more firewall interfaces, particularly interfaces reachable from the internet or untrusted networks
Patches for your specific PAN-OS release branch have not yet been published or applied
Your firewall management plane or DNS Proxy listener is not restricted to trusted source IPs via security policy
You have not implemented compensating controls (e.g., disabling DNS Proxy on external interfaces) while awaiting patch availability
Board Talking Points
A critical flaw in Palo Alto Networks firewalls allows an outside attacker to take full control of the firewall without any login credentials, directly undermining network perimeter defenses.
Security teams should disable the affected DNS feature on internet-facing firewall interfaces immediately and apply vendor patches as they become available across all affected firewall versions.
Without action, an attacker who exploits this vulnerability could bypass all network security controls, access internal systems, and exfiltrate data without triggering standard perimeter alerts.
PCI-DSS — PA-Series firewalls frequently serve as the network boundary control for cardholder data environments; firewall compromise directly undermines Requirement 1 network segmentation controls
HIPAA — PA-Series firewalls protecting electronic protected health information (ePHI) network segments are subject to HIPAA Security Rule technical safeguard requirements; perimeter compromise creates reportable risk exposure
NERC CIP — Organizations operating bulk electric system assets using PA-Series firewalls as Electronic Security Perimeter controls must evaluate this vulnerability under CIP-007 and CIP-010 patch management and configuration change requirements
