A buffer overflow in the IKEv2 packet parser of Palo Alto Networks PAN-OS allows an unauthenticated attacker on the network to crash the firewall or run arbitrary code with elevated privileges (CWE-787). The vulnerability can lead to a complete compromise of the firewall’s operating system or cause a denial of service, disrupting critical network traffic.

The flaw is present in PAN‑OS for all 10.2, 11.x, and 12.x releases except specific newer sub‑releases. Supported Cloud NGFW and Prisma Access are not impacted. For PAN‑OS, the following upgrade paths are required: 12.1.5 to 12.1.6 – upgrade to 12.1.7 or later; 12.1.2 to 12.1.4‑h* – upgrade to 12.1.4‑h5, 12.1.7 or later; 11.2.11 or later – upgrade to 11.2.12 or later; 11.2.8 to 11.2.10‑h* – upgrade to 11.2.10‑h6, 11.2.12 or later; 11.2.5‑7‑h* – upgrade to 11.2.7‑h13, 11.2.12 or later; 11.2.0‑4‑h* – upgrade to 11.2.4‑h17, 11.2.12 or later; 11.1.14 or later – upgrade to 11.1.15 or later; other 11.1.x ranges follow a similar pattern. All older unsupported PAN‑OS versions must move to a supported fixed release.

The CVSS score of 7.2 indicates a high severity for remote code execution. No EPSS index is available, so the exploitation probability is not quantifiable, and the vulnerability is not listed in CISA KEV. The attack vector is network‑based; an adversary needs the ability to send crafted IKEv2 packets to the firewall, which is typically feasible for anyone with network visibility. Successful exploitation would grant the attacker root privileges on the firewall and could lead to full system compromise or a shutdown of the device.