Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass and Firmware Exploits

An exhaustive evaluation of three firewall models from Palo Alto Networks has uncovered a host of known security flaws impacting the devices' firmware as well as misconfigured security features.
"These weren't obscure, corner-case vulnerabilities," security vendor Eclypsium said in a report shared with The Hacker News.
"Instead these were very well-known issues that we wouldn't expect to see even on a consumer-grade laptop. These issues could allow attackers to evade even the most basic integrity protections, such as Secure Boot, and modify device firmware if exploited."
The company said it analyzed three firewall appliances from Palo Alto Networks, PA-3260, PA-1410, and PA-415, the first of which officially reached end-of-sale on August 31, 2023. The other two models are fully supported firewall platforms.
The list of identified flaws, collectively named PANdora's Box, is as follows -
- CVE-2020-10713 aka BootHole (Affects PA-3260, PA-1410, and PA-415), refers to a buffer overflow vulnerability that allows for a Secure Boot bypass on Linux systems with the feature enabled
- CVE-2022-24030, CVE-2021-33627, CVE-2021-42060, CVE-2021-42554, CVE-2021-43323, and CVE-2021-45970 (Affects PA-3260), which refers to a set of System Management Mode (SMM) vulnerabilities affecting Insyde Software's InsydeH2O UEFI firmware that could lead to privilege escalation and Secure Boot bypass
- LogoFAIL (Affects PA-3260), which refers to a set of critical vulnerabilities discovered in the Unified Extensible Firmware Interface (UEFI) code that exploit flaws in image parsing libraries embedded in the firmware to bypass Secure Boot and execute malicious code during system startup
- PixieFail (Affects PA-1410 and PA-415), which refers to a set of vulnerabilities in the TCP/IP network protocol stack incorporated in the UEFI reference implementation that could lead to code execution and information disclosure
- Insecure flash access control vulnerability (Affects PA-415), which refers to a case of misconfigured SPI flash access controls that could permit an attacker to modify UEFI directly and bypass other security mechanisms
- CVE-2023-1017 (Affects PA-415), which refers to an out-of-bounds write vulnerability in the Trusted Platform Module (TPM) 2.0 reference library specification
- Intel bootguard leaked keys bypass (Affects PA-1410)
"These findings underscore a critical truth: even devices designed to protect can become vectors for attack if not properly secured and maintained," Eclypsium said. "As threat actors continue to target security appliances, organizations must adopt a more comprehensive approach to supply chain security."
"This includes rigorous vendor assessments, regular firmware updates, and continuous device integrity monitoring. By understanding and addressing these hidden vulnerabilities, organizations can better protect their networks and data from sophisticated attacks that exploit the very tools meant to safeguard them."
Tesla EV charger hacked twice on second day of Pwn2Own Tokyo
Beware: Fake CAPTCHA Campaign Spreads Lumma Stealer in Multi-Industry Attacks
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalSec-Fetch-Dest Header is Missing
InformationalObsolete Content Security Policy (CSP) Header Found
LowInsufficient Site Isolation Against Spectre Vulnerability
InformationalCross Site Scripting (Persistent) - Prime
InformationalSec-Fetch-User Header is Missing
Free online web security scanner