Threat ID: TL-2026-0112 | Severity: HIGH | Status: ACTIVE
Actor: Unattributed | CVE: CVE-2024-3393 (CVSS 8.7) | Motivation: Destruction
MITRE Techniques: 15 | Detections: 9 | Category: VULNERABILITY
What happens when a single DNS packet can crash your perimeter firewall? CVE-2024-3393 answers that question.
On December 27, 2024, Palo Alto Networks disclosed CVE-2024-3393 — a denial-of-service vulnerability in the DNS Security feature of PAN-OS that lets an unauthenticated attacker nuke a firewall by sending one crafted DNS packet through the data plane. One packet. Firewall down. Repeated exploitation forces the device into maintenance mode, collapsing perimeter security entirely. CISA added the flaw to its Known Exploited Vulnerabilities catalog three days later, confirming active exploitation in production environments.
Below: vulnerability mechanics, affected versions, exploitation conditions, and detection queries for identifying exploitation attempts and firewall disruption events.
Censys internet exposure analysis for CVE-2024-3393 — mapping affected PAN-OS versions across PA-Series, VM-Series, and CN-Series firewalls.
Executive Summary
- What: Denial-of-service vulnerability (
CWE-754: Improper Check for Unusual or Exceptional Conditions) in PAN-OS DNS Security processing that crashes firewalls when logging is enabled - Who: Unattributed — actively exploited in production; CERT-EE (Estonia) provided forensic assistance
- Impact: CVSS 8.7 (unauthenticated, network-accessible). Affects PA-Series, VM-Series, CN-Series firewalls, and Prisma Access. A single packet reboots the firewall; sustained exploitation forces maintenance mode, disabling all security inspection
- Status: Actively exploited. Patched in PAN-OS 11.2.3, 11.1.5, 10.2.14, 10.1.15. Added to CISA KEV on December 30, 2024, with remediation deadline of January 20, 2025
- Detection: 9 production-ready detections available on Threadlinqs Intelligence covering syslog, SNMP, and network telemetry
Technical Analysis
CVE-2024-3393 exploits improper exception handling in the PAN-OS DNS Security module. When the firewall processes DNS traffic with the DNS Security (or Advanced DNS Security) license active and logging enabled, a specially crafted DNS packet triggers an unhandled exception in the data plane. The box reboots. No authentication. No user interaction. Just one malformed packet hitting the wire.
The vulnerability requires two prerequisites to exist simultaneously:
- DNS Security License — either standard or Advanced DNS Security must be active
- DNS Security Logging — the log severity level must be set to anything other than "none"
Administrators can verify exposure by checking the configuration: show config merged | match log-level. If DNS Security logging is enabled on any Anti-Spyware profile applied to a security policy, the firewall is vulnerable.
The Maintenance Mode Trap
The critical escalation path is what makes this vulnerability severe beyond a simple reboot. A single crafted packet causes a reboot — the firewall comes back up and resumes operations. But the attacker can immediately send another crafted packet. After repeated crash-reboot cycles, PAN-OS enters maintenance mode — a recovery state where the firewall stops processing all traffic. At that point, the perimeter is open. No inspection, no policy enforcement, no logging.
For organizations that rely on a single Palo Alto firewall without HA failover, maintenance mode means complete perimeter collapse until an administrator manually recovers the device. No inspection. No policy. No logging. The perimeter is just gone.
Our analysis found that the crash-to-maintenance escalation path is what separates this from a garden-variety DoS — the attacker does not just disrupt; they permanently disable until a human intervenes.
Affected Versions and Platforms
| PAN-OS Version | Affected Range | Fixed Version |
|---|---|---|
| 11.2 | < 11.2.3 | 11.2.3 |
| 11.1 | < 11.1.2-h16, < 11.1.3-h13, < 11.1.4-h7, < 11.1.5 | 11.1.5 |
| 10.2 | >= 10.2.8, < 10.2.8-h19, < 10.2.9-h19, < 10.2.10-h12, < 10.2.11-h10, < 10.2.12-h4, < 10.2.13-h2, < 10.2.14 | 10.2.14 |
| 10.1 | >= 10.1.14, < 10.1.14-h8, < 10.1.15 | 10.1.15 |
| 10.0, 9.1 | Not affected | N/A |
| Cloud NGFW | Not affected | N/A |
| Panorama M-Series | Not affected | N/A |
Affected platforms: PA-Series (hardware), VM-Series (virtual), CN-Series (container), Prisma Access.
Why DNS?
DNS traverses every firewall by design. Block it, and the network goes dark — no name resolution, no connectivity, no business operations. Attackers know this. Every security appliance sitting in the data path must inspect DNS traffic, and that inspection surface becomes the target. From a detection engineering perspective, DNS-based attacks survive proxy translation, NAT boundaries, and most network segmentation architectures. That makes the PAN-OS DNS Security module a high-value target: it is always on, always processing, and always reachable.
Censys data shows tens of thousands of internet-facing Palo Alto appliances at any given time. Most run DNS Security — it is a core selling point of the platform.
Exploitation Simplicity
The attack vector is network-based with low complexity. No authentication required. No user interaction needed. The attacker sends a DNS packet through the firewall's data plane — a trivial requirement for any traffic that traverses the device. Patch or perish. The CVSS score drops to 7.1 only for Prisma Access deployments where traffic originates from authenticated users.
Attack Chain
- Reconnaissance — Attacker identifies Palo Alto firewalls via banner grabbing, Shodan, or Censys (
T1595.002). DNS Security is commonly enabled on enterprise firewalls. - Initial Exploitation — Crafted DNS packet sent through the firewall data plane. No authentication required (
T1190). The DNS Security module processes the packet and triggers an unhandled exception. - Firewall Reboot — The exception crashes the PAN-OS data plane, forcing a full firewall reboot. Security inspection stops during the reboot cycle.
- Sustained Attack — Repeated malicious DNS packets trigger continuous reboot cycles (
T1499.004). Each reboot increases the probability of entering maintenance mode. - Maintenance Mode — After repeated crashes, PAN-OS enters maintenance mode (
T1489). The firewall stops processing all traffic. Perimeter security is fully disabled. - Security Bypass — With the firewall in maintenance mode, all traffic passes uninspected (
T1562.001). Firewall rules, IPS signatures, URL filtering, and threat prevention are offline.
Palo Alto Networks official security advisory for CVE-2024-3393 — firewall denial-of-service via specially crafted DNS packets forcing maintenance mode.
Detection
Catching exploitation of CVE-2024-3393 means watching for unexpected firewall reboots, DNS processing anomalies, and maintenance mode transitions. The reboot-to-maintenance-mode sequence is the most reliable signal — it is loud, distinctive, and hard to spoof.
Threadlinqs Intelligence tracks 9 production-ready detection rules for this threat across SPL, KQL, and Sigma.
Splunk SPL
Unexpected Palo Alto firewall reboots — two or more within an hour — are the primary exploitation indicator. This SPL catches that pattern.
SPLindex= sourcetype="pan:system" OR sourcetype="pan:config"
(log_subtype="general" OR log_subtype="system")
("reboot" OR "restart" OR "maintenance mode" OR "crash" OR "unexpected shutdown")
| eval is_maintenance=if(like(_raw, "%maintenance%mode%"), 1, 0)
| stats count as reboot_count
sum(is_maintenance) as maintenance_events
earliest(_time) as first_reboot
latest(_time) as last_reboot
by host
| where reboot_count >= 2
| eval time_window_mins=round((last_reboot - first_reboot) / 60, 1)
| where time_window_mins <= 60
| sort - reboot_count
DNS traffic spikes immediately preceding a reboot are the smoking gun. This SPL correlates high-volume DNS queries with subsequent crash events within a five-minute window.
SPLindex= sourcetype="pan:traffic" app="dns"
| bucket _time span=5m
| stats count as dns_count by src_ip, dest_ip, _time
| where dns_count > 1000
| join type=inner dest_ip
[ search index= sourcetype="pan:system" ("reboot" OR "crash")
| rename host as dest_ip
| stats earliest(_time) as reboot_time by dest_ip ]
| where _time <= reboot_time AND _time >= (reboot_time - 300)
Microsoft KQL
For Sentinel shops forwarding Palo Alto syslog — this KQL hunts for crash and maintenance mode transitions in syslog data.KQLSyslog
| where TimeGenerated > ago(24h)
| where Computer has "paloalto" or Facility == "local0"
| where SyslogMessage has_any ("reboot", "restart", "maintenance mode",
"crash", "unexpected shutdown", "dataplane", "dns-proxy")
| extend IsMaintenanceMode = SyslogMessage has "maintenance mode"
| summarize
RebootCount = count(),
MaintenanceModeEvents = countif(IsMaintenanceMode),
FirstEvent = min(TimeGenerated),
LastEvent = max(TimeGenerated)
by Computer
| where RebootCount >= 2
| extend TimeWindowMinutes = datetime_diff('minute', LastEvent, FirstEvent)
| where TimeWindowMinutes <= 60
Anomalous DNS query volumes targeting firewall interfaces — over 500 queries in a 5-minute bin with sustained rates above 100/min — often precede exploitation.
KQLCommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor == "Palo Alto Networks"
| where Activity == "TRAFFIC" and ApplicationProtocol == "dns"
| summarize
DnsQueryCount = count(),
UniqueSources = dcount(SourceIP),
AvgQueriesPerMin = count() / datetime_diff('minute', max(TimeGenerated), min(TimeGenerated))
by DestinationIP, bin(TimeGenerated, 5m)
| where DnsQueryCount > 500
| where AvgQueriesPerMin > 100
Sigma
Repeated PAN-OS reboot events within a short window are the hallmark of this CVE. This Sigma rule catches it vendor-agnostic.SIGMAtitle: PAN-OS Repeated Firewall Reboot — CVE-2024-3393 DoS Indicator
id: d4e8a2c1-7f56-4b3d-9e12-5a8c3d6f1b09
status: experimental
description: |
Detects repeated PAN-OS firewall reboot events within a short timeframe,
consistent with CVE-2024-3393 exploitation where crafted DNS packets crash
the firewall into maintenance mode. CVSS 8.7 — unauthenticated, network-accessible.
references:
- https://intel.threadlinqs.com/#TL-2026-0112
- https://security.paloaltonetworks.com/CVE-2024-3393
- https://nvd.nist.gov/vuln/detail/CVE-2024-3393
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
- attack.impact
- attack.t1498.001
- attack.t1489
- cve.2024.3393
logsource:
category: firewall
product: paloalto
detection:
selection_reboot:
EventType|contains:
- 'reboot'
- 'restart'
- 'crash'
- 'unexpected shutdown'
selection_maintenance:
EventType|contains:
- 'maintenance mode'
condition: selection_reboot or selection_maintenance
falsepositives:
- Planned firewall maintenance windows
- Firmware upgrades triggering scheduled reboots
- Power events causing hardware restarts
level: high
Browse all 9 detection rules for this threat: View on Threadlinqs Intelligence
The Hacker News coverage of Palo Alto Networks releasing an emergency patch for the actively exploited PAN-OS DNS Security DoS flaw.
Indicators of Compromise
Network Indicators
| Type | Indicator | Context |
|---|---|---|
| Protocol | Malformed DNS packets | Crafted DNS queries triggering PAN-OS exception — specific payload structure not publicly disclosed |
| Port | UDP/53, TCP/53 | Standard DNS ports through which the exploit traverses the firewall data plane |
| Behavior | High-frequency DNS queries to firewall | Sustained DNS traffic preceding firewall reboot events |
Behavioral Indicators
- Unexpected firewall reboots during normal operations — no scheduled maintenance, no firmware update
- Multiple reboots within a short timeframe (minutes to hours) from the same device
- Firewall entering maintenance mode without administrator action
- Gap in firewall syslog/SNMP data indicating device offline
- DNS Security log entries immediately preceding a system crash event
- Traffic inspection gaps visible in downstream monitoring (IDS/IPS, proxy logs)
Infrastructure Indicators
| Type | Indicator | Context |
|---|---|---|
| Configuration | DNS Security License active | Prerequisite for vulnerability |
| Configuration | DNS Security logging enabled (log-level != none) | Required for exploitation |
| System State | Maintenance mode entry | Indicates repeated exploitation success |
Timeline
| Date | Event |
|---|---|
| 2024-12-27 | Palo Alto Networks publishes advisory for CVE-2024-3393, confirms active exploitation through customer DoS reports |
| 2024-12-27 | Patches released: PAN-OS 11.2.3, 11.1.5, 10.2.14, 10.1.15, and multiple hotfix releases |
| 2024-12-30 | CISA adds CVE-2024-3393 to Known Exploited Vulnerabilities catalog |
| 2025-01-03 | Prisma Access emergency upgrades begin on first weekend window |
| 2025-01-10 | Second weekend Prisma Access upgrade window |
| 2025-01-20 | CISA KEV remediation deadline for Federal Civilian Executive Branch agencies |
| 2025-01-30 | Palo Alto Networks updates advisory with additional hotfix versions for maintenance releases |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Context |
|---|---|---|---|
| Impact | Network Denial of Service: Direct Network Flood | T1498.001 | Crafted DNS packet triggers firewall crash |
| Impact | Service Stop | T1489 | Firewall enters maintenance mode, stopping all security services |
| Initial Access | Exploit Public-Facing Application | T1190 | Unauthenticated exploitation through the firewall data plane |
| Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562.001 | Firewall crash disables security inspection |
| Defense Evasion | Impair Defenses: Disable or Modify System Firewall | T1562.004 | Maintenance mode disables all firewall policy enforcement |
| Impact | Application or System Exploitation (DoS) | T1499.004 | Repeated packet exploitation causes sustained denial of service |
| Reconnaissance | Gather Victim Network Information: DNS | T1590.002 | Pre-exploitation reconnaissance to identify DNS-enabled firewalls |
| Reconnaissance | Active Scanning: Vulnerability Scanning | T1595.002 | Scanning for vulnerable PAN-OS versions via management interface fingerprinting |
Full MITRE ATT&CK mapping: View coverage on Threadlinqs
TL-2026-0112 on Threadlinqs Intelligence — CVE-2024-3393 PAN-OS DNS Security DoS vulnerability with 9/9 detection coverage.
Recommendations
- Patch immediately — Upgrade to PAN-OS 11.2.3, 11.1.5, 10.2.14, 10.1.15, or later. If immediate upgrade is not possible, apply the relevant hotfix for the current maintenance release. Based on our tracking of 112 threats on the platform, unpatched network appliances remain the fastest path to perimeter compromise.
- Apply the workaround if patching is delayed — Disable DNS Security logging by setting log severity to "none" for all DNS Security categories in Anti-Spyware profiles: Objects > Security Profiles > Anti-Spyware > DNS Policies > DNS Security
- Deploy HA failover — Organizations running a single firewall without high-availability pairs are exposed to complete perimeter collapse. HA with session synchronization ensures continuity during a crash event.
- Monitor for exploitation indicators — Configure SNMP traps and syslog alerts for unexpected firewall reboots. Two or more reboots within an hour without scheduled maintenance warrants immediate investigation.
- Verify DNS Security configuration — Run
show config merged | match log-levelon all PAN-OS devices to identify which firewalls have the vulnerable configuration. Prioritize patching those devices.
References
- CVE-2024-3393 — PAN-OS Firewall DoS in DNS Security — Palo Alto Networks, December 2024
- NVD — CVE-2024-3393 — National Vulnerability Database
- CISA Adds CVE-2024-3393 to KEV Catalog — Cyble, December 2024
- Palo Alto Releases Patch for PAN-OS DoS Flaw — The Hacker News, December 2024
- January 3 Advisory: CVE-2024-3393 Exposure Analysis — Censys, January 2025
- PAN-OS Severe Vulnerability Exploited in the Wild — SecPod, December 2024
- Palo Alto Networks DoS Vulnerability — Qualys ThreatPROTECT — Qualys, December 2024
- MITRE ATT&CK T1498.001 — Network Denial of Service: Direct Network Flood — MITRE
Full threat intelligence, detection rules, and IOC feeds are available on Threadlinqs Intelligence. Track this threat: TL-2026-0112.*