Palo Alto Networks: PAN-OS Web Interface: TOCTOU Race in Plugin Installation — Root Code Execution
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Per PAN advisory: “A time-of-check to time-of-use (TOCTOU) race condition vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges.”
Affected Packages / Versions
- Package:
Palo Alto Networks PAN-OS(—) - Latest published version at triage time:
Per PAN advisory: PAN-OS 8.1, 9.0, 9.1, 10.0, 10.1 tracks (Prisma Access not affected) - Affected range:
Per PAN advisory CVE-2021-3054: PAN-OS 8.1 < 8.1.20; PAN-OS 9.0 < 9.0.14; PAN-OS 9.1 < 9.1.11; PAN-OS 10.0 < 10.0.7; PAN-OS 10.1 < 10.1.2. - Patched version:
Per PAN advisory: PAN-OS 8.1.20, 9.0.14, 9.1.11, 10.0.7, 10.1.2, and all later PAN-OS versions
Impact
PAN advisory’s description ends at “execute arbitrary code with root user privileges.” Specific blast-radius framing is not stated by PAN; Praetorian published no detailed blog body for this CVE.
Severity Rationale
Per PAN advisory: CVSS 7.2 (High), CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. “Palo Alto Networks is not aware of any malicious exploitation of this issue.”
Fix
Per PAN: “This issue is fixed in PAN-OS 8.1.20, PAN-OS 9.0.14, PAN-OS 9.1.11, PAN-OS 10.0.7, PAN-OS 10.1.2, and all later PAN-OS versions.” Workaround: “Enable signatures for Unique Threat ID 91572 on traffic processed by the firewall to block attacks against CVE-2021-3054.”
Disclosure timeline
- TBDReported to vendor
- Sep 8, 2021Patch released (PAN initial publication date)
- Sep 8, 2021Public disclosure
Fix Commit(s)
References
Discovered by Per PAN advisory: "Palo Alto Networks thanks Praetorian for discovering and reporting this issue." · Published April 29, 2026