Skip to main content
close search
site logo
Dive Brief

Palo Alto Networks customers grapple with another actively exploited zero-day

The security vendor warned of an unconfirmed vulnerability in PAN-OS earlier this month. A CVE entry and patch came 10 days later.

Published Nov. 19, 2024
Matt Kapko's headshot
Senior Reporter
Matrix background of blurred programming code.
Getty Plus via Getty Images

Dive Brief:

  • Palo Alto Networks customers are confronting another actively exploited zero-day, a critical authentication bypass vulnerability in the security vendor’s PAN-OS operating system, which runs some of the company’s firewalls, the company said Monday in an updated security advisory.
  • “Palo Alto Networks has identified threat activity targeting a limited number of device management web interfaces,” the security vendor’s threat intelligence firm Unit 42 said in a Monday threat brief. “Observed post-exploitation activity includes interactive command execution and dropping malware, such as webshells, on the firewall.”
  • The vulnerability, CVE-2024-0012, has a CVSS score of 9.3 and allows an unauthenticated attacker with network access to the management web interface to gain administrator privileges or tamper with the configuration. Active exploitation of the CVE can also allow attackers to exploit other authenticated privilege escalation vulnerabilities, such as CVE-2024-9474, which has a CVSS score of 6.9. 

Dive Insight:

The exploits hitting Palo Alto Networks customers’ firewalls follows a trio of actively exploited zero-days in Expedition, the company’s tool for migrating customers over from other vendors, earlier this month. Attackers also hit a maximum severity zero-day in PAN-OS earlier this year.

Palo Alto Networks initially published a security advisory about an unconfirmed vulnerability in the PAN-OS management interface on Nov. 8. The company confirmed observed threat activity targeting the vulnerability on Thursday and added indicators of compromise on Friday.

On Monday, a CVE was assigned to the vulnerability and Palo Alto Networks issued a patch. 

The Cybersecurity and Infrastructure Security Agency added CVE-2024-0012 and CVE-2024-9474 to its known exploited vulnerabilities catalog on Monday. The agency released and updated an alert pointing to Palo Alto Networks warnings earlier this month and the vendor’s guidance for hardening network devices.

“These vulnerabilities could allow attackers to take control of firewalls if they have access to the management interface; internet-exposed management interfaces are at significantly higher risk,” Steven Thai, senior manager of global crisis communications and reputation management at Palo Alto Networks, said in a Monday email.

“We are actively working with impacted customers and urge all organizations to immediately determine if their firewalls are at risk and apply the security patches,” Thai said. 

Palo Alto Networks, which is tracking initial exploitation of CVE-2024-0012 as Operation Lunar Peek, said a “very small number” of PAN-OS devices are deployed with management web interfaces exposed to the internet or other untrusted networks.

More than 6,500 PAN-OS management interfaces were publicly exposed to the internet as of Sunday, down from about 11,000 on Nov. 11, according to Shadowserver.

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell