Palo Alto Networks Firewalls Compromised by Hackers Exploiting Recent Vulnerabilities

November 21, 2024

Hackers have breached thousands of Palo Alto Networks firewalls by exploiting two recently patched zero-day vulnerabilities. The two security flaws consist of an authentication bypass (CVE-2024-0012) in the PAN-OS management web interface that remote attackers can exploit to gain administrator privileges, and a PAN-OS privilege escalation (CVE-2024-9474) that allows them to execute commands on the firewall with root privileges.

Palo Alto Networks first alerted customers on November 8 to limit access to their next-generation firewalls due to a potential RCE flaw, which was identified last Friday as CVE-2024-0012. The company disclosed CVE-2024-9474 this Monday. Palo Alto Networks is still investigating these ongoing attacks, which target "a limited number of device management web interfaces". The company has observed threat actors dropping malware and executing commands on compromised firewalls, warning that an exploit chaining the two flaws is likely already available.

"This original activity reported on Nov. 18, 2024 primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services," the company said on Wednesday. "At this time, Unit 42 assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which will enable broader threat activity."

Even though the company states the attacks impact only a "very small number of PAN-OS" firewalls, threat monitoring platform Shadowserver reported on Wednesday that it's tracking over 2,700 vulnerable PAN-OS devices. Shadowserver also reported that about 2,000 have been compromised since the start of this ongoing campaign.

The Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities Catalog and now requires federal agencies to patch their firewalls within three weeks by December 9. CISA had also warned in early November of attackers exploiting another critical missing authentication flaw (CVE-2024-5910) in the Palo Alto Networks Expedition firewall configuration migration tool.

Earlier this year, Palo Alto Networks' customers also had to patch a maximum severity and actively exploited PAN-OS firewall vulnerability (CVE-2024-3400) that impacted over 82,000 devices. CISA added CVE-2024-3400 to its KEV catalog, asking federal agencies to secure their devices within seven days.

On Wednesday, Palo Alto Networks "strongly" advised its customers to secure their firewalls' management interfaces by restricting access to the internal network. "Risk of these issues are greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines," the company said.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.