PatchSiren cyber security CVE debrief

CVE-2024-9471 Palo Alto Networks CVE debrief

A privilege escalation vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated administrator with restricted privileges to use a compromised XML API key to perform actions as a higher-privileged administrator. The vulnerability was published on July 9, 2024, and affects Siemens RUGGEDCOM APE1808 devices running Palo Alto Networks Virtual NGFW. An attacker with read-only virtual system administrator access could leverage an XML API key from a standard virtual system administrator to perform unauthorized write operations on virtual system configurations. The CVSS 3.1 score of 4.7 reflects medium severity with network attack vector, low attack complexity, high privileges required, and low impacts to confidentiality, integrity, and availability. Siemens has released a vendor fix in Palo Alto Networks Virtual NGFW V11.1.4-h1. Organizations should upgrade affected systems and contact customer support for patch and update information. Additional mitigations include configuring RADIUS servers to require Message-Authenticator attributes, restricting network access for RADIUS message exchange, and configuring SSH profiles to remove support for CHACHA20-POLY1305 and Encrypt-then-MAC algorithms.

Vendor: Palo Alto Networks
Product: RUGGEDCOM APE1808
CVSS: MEDIUM 4.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-07-09
Original CVE updated: 2026-01-14
Advisory published: 2024-07-09
Advisory updated: 2026-01-14

Who should care

Organizations operating Siemens RUGGEDCOM APE1808 devices with Palo Alto Networks Virtual NGFW, particularly those in industrial and operational technology environments. Security teams responsible for firewall administration, identity and access management, and API security should prioritize this vulnerability. Organizations with multi-tenant or role-separated PAN-OS deployments where lower-privileged administrators require controlled access are at elevated risk.

Technical summary

The vulnerability exists in the XML API of Palo Alto Networks PAN-OS software when deployed on Siemens RUGGEDCOM APE1808 devices. The flaw allows an authenticated administrator with restricted privileges—such as a Virtual system administrator (read-only)—to use a compromised XML API key belonging to a higher-privileged account (such as a standard Virtual system administrator) to perform write operations on virtual system configurations. This bypasses the intended read-only restrictions. The attack requires network access and valid authentication credentials, with the compromised API key serving as the mechanism for privilege escalation. The vulnerability does not appear to require user interaction and has a proof-of-concept exploit available.

Defensive priority

medium

Recommended defensive actions

Upgrade Palo Alto Networks Virtual NGFW to version V11.1.4-h1 and contact customer support for patch and update information
Configure RADIUS servers to require Message-Authenticator attributes in all Access-Request packets from supporting RADIUS client devices
Restrict network access to VLANs or management networks where RADIUS messages are exchanged
Configure in-use SSH profiles to contain at least one cipher and one MAC algorithm, removing support for CHACHA20-POLY1305 and Encrypt-then-MAC algorithms
Review and rotate XML API keys regularly, especially for accounts with elevated privileges
Monitor XML API usage for anomalous privilege escalation patterns from lower-privileged accounts

Evidence notes

The vulnerability description and remediation details are derived from CISA CSAF advisory ICSA-24-193-11, which republishes Siemens ProductCERT advisory SSA-364175. The advisory was initially published on July 9, 2024, and most recently modified on January 14, 2026. The affected product is Siemens RUGGEDCOM APE1808 with Palo Alto Networks Virtual NGFW. The vendor fix specifies upgrade to Palo Alto Networks Virtual NGFW V11.1.4-h1.

Official resources

2024-07-09