Palo Alto Networks Firewalls Compromised by Hackers Exploiting Recent Vulnerabilities
November 21, 2024
Hackers have breached thousands of Palo Alto Networks firewalls by exploiting two recently patched zero-day vulnerabilities. The two security flaws consist of an authentication bypass (CVE-2024-0012) in the PAN-OS management web interface that remote attackers can exploit to gain administrator privileges, and a PAN-OS privilege escalation (CVE-2024-9474) that allows them to execute commands on the firewall with root privileges.
Palo Alto Networks first alerted customers on November 8 to limit access to their next-generation firewalls due to a potential RCE flaw, which was identified last Friday as CVE-2024-0012. The company disclosed CVE-2024-9474 this Monday. Palo Alto Networks is still investigating these ongoing attacks, which target "a limited number of device management web interfaces". The company has observed threat actors dropping malware and executing commands on compromised firewalls, warning that an exploit chaining the two flaws is likely already available.
"This original activity reported on Nov. 18, 2024 primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services," the company said on Wednesday. "At this time, Unit 42 assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which will enable broader threat activity."
Even though the company states the attacks impact only a "very small number of PAN-OS" firewalls, threat monitoring platform Shadowserver reported on Wednesday that it's tracking over 2,700 vulnerable PAN-OS devices. Shadowserver also reported that about 2,000 have been compromised since the start of this ongoing campaign.
The Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities Catalog and now requires federal agencies to patch their firewalls within three weeks by December 9. CISA had also warned in early November of attackers exploiting another critical missing authentication flaw (CVE-2024-5910) in the Palo Alto Networks Expedition firewall configuration migration tool.
Earlier this year, Palo Alto Networks' customers also had to patch a maximum severity and actively exploited PAN-OS firewall vulnerability (CVE-2024-3400) that impacted over 82,000 devices. CISA added CVE-2024-3400 to its KEV catalog, asking federal agencies to secure their devices within seven days.
On Wednesday, Palo Alto Networks "strongly" advised its customers to secure their firewalls' management interfaces by restricting access to the internal network. "Risk of these issues are greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines," the company said.
Related News
- CISA Identifies Actively Exploited Vulnerability in Progress Kemp LoadMaster
- Palo Alto Networks Addresses Four Critical Security Flaws in Expedition Firewall
- CISA Issues Warning on Active Exploitation of Additional Palo Alto Networks Vulnerabilities
- Palo Alto Networks Issues Alert on Potential PAN-OS Remote Code Execution Vulnerability
- CISA Issues Warning Over Exploitation of Critical Palo Alto Networks Vulnerability
Latest News
- Google's AI-Driven OSS-Fuzz Uncovers 26 Flaws in Open-Source Projects
- Apple Patches Two Zero-Day Vulnerabilities in Intel-Based Macs
- CISA Identifies Actively Exploited Vulnerability in Progress Kemp LoadMaster
- Oracle Addresses Zero-Day Exploit in Agile PLM Software
- D-Link Urges Users to Replace VPN Routers Due to Unresolved RCE Vulnerability
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.