HighCISA KEVExploited in the wildPublic exploit

DoS in Palo Alto Networks PAN-OS DNS Security

IdentifiersCVE-2024-3393CWE-754· Improper Check for Unusual or…

CVE-2024-3393 is a high-severity denial-of-service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS. An unauthenticated remote attacker can send a specially crafted or malformed DNS packet through the firewall data plane and trigger a failure that causes the firewall to reboot. Repeated triggering can drive the device into maintenance mode. The issue affects PAN-OS deployments where DNS Security or Advanced DNS Security is licensed/enabled and DNS Security logging is active. Reported affected platforms include PA-Series, VM-Series, CN-Series, and Prisma Access. The available supporting content attributes the flaw to improper handling of unusual or exceptional conditions during DNS packet processing/logging, consistent with CWE-754.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes a denial-of-service condition on the affected firewall. A single successful trigger can reboot the device, and repeated exploitation can force it into maintenance mode, rendering it non-operational. This can interrupt traffic processing, reduce or eliminate security enforcement at the network perimeter, and leave protected environments temporarily unprotected until the device recovers or is manually remediated.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, temporarily disable DNS Security logging by setting DNS Security log severity to "none" in custom Anti-Spyware profiles, or replace affected predefined Anti-Spyware profiles with custom profiles configured to avoid the vulnerable logging path. Monitor for unexpected firewall reboots, maintenance mode events, and abnormal malformed DNS activity. Note that disabling DNS Security logging reduces visibility into DNS-based threats and may hinder detection and response.

Remediation

Patch, then assume compromise.

Apply Palo Alto Networks fixed releases. Based on the provided content, fixed versions include PAN-OS 11.2.3 or later, 11.1.5 or later, 10.2.14 or later, and 10.1.15 or later, with later maintenance releases also addressing the issue. Organizations should upgrade affected PA-Series, VM-Series, CN-Series, and Prisma Access deployments to a supported fixed version as soon as possible, prioritizing internet-exposed systems and environments where DNS Security logging is enabled.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

PaloaltonetworksPan-Osoperating_system

PaloaltonetworksPrisma Accessapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

A PAN-OS denial-of-service vulnerability affecting Palo Alto Networks PAN-OS and Prisma Access deployments.

rescana blogNews

Jan 15, 2026

CVE-2024-3393: Critical DoS Vulnerability Actively Exploited in Palo Alto Networks PAN-OS Firewalls

High-severity unauthenticated network-triggered Denial of Service in Palo Alto Networks PAN-OS DNS Security inspection/logging path that can crash the data plane, forcing firewall reboot and potentially maintenance mode, disabling security enforcement.

bleeping computerNews

Jan 15, 2026

Palo Alto Networks warns of DoS bug letting hackers disable firewalls

PAN-OS denial-of-service vulnerability reportedly exploited to force affected Palo Alto firewalls to reboot and disable protections when DNS Security logging is enabled.

thecyberexpress com vulnerabilitiesNews

Jan 2, 2025

CISA Warning: Exploited Vulnerability In PAN-OS Versions

High-severity unauthenticated Denial-of-Service vulnerability in Palo Alto Networks PAN-OS DNS Security feature where malformed DNS packets can crash/reboot the firewall repeatedly, potentially forcing maintenance mode and causing loss of availability.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2024-3393

NVD

nvd.nist.gov/vuln/detail/CVE-2024-3393

MITRE CWE · CWE-754

Improper Check for Unusual or Exceptional…

Vendor Advisory

security.paloaltonetworks.com/CVE-2024-3393

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-3393