Use of a weak cryptographic algorithm for passwords in Palo Alto PAN-OS

Published: 2022-03-09
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-0022
Exploitation vector Local
Public exploit N/A
Vulnerable software
Palo Alto PAN-OS
Operating systems & Components / Operating system

Vendor Palo Alto Networks, Inc.

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Use of Password Hash With Insufficient Computational Effort

EUVDB-ID: #VU61214

Risk: Low


CVE-ID: CVE-2022-0022

CWE-ID: CWE-916 - Use of Password Hash With Insufficient Computational Effort

Exploit availability: No


The vulnerability allows a local user to decrypt credentials.

The vulnerability exists due to software does not use the sufficient level of computational effort when creating password hashes for local user account. A local privileged user can crack passwords.

The vulnerability affects only to PAN-OS firewalls and Panorama appliances running in normal (non-FIPS-CC) operational mode.


Install updates from vendor's website.

Vulnerable software versions

Palo Alto PAN-OS: 10.0.0 - 10.0.6, 9.0 - 9.0.16, 9.1 - 9.1.10, 8.1 - 8.1.20-h1

CPE2.3 External links

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?