Palo Alto Networks Issues Alert on Potential PAN-OS Remote Code Execution Vulnerability

November 8, 2024

Palo Alto Networks, a leading cybersecurity firm, has alerted its customers about a possible remote code execution vulnerability in the PAN-OS management interface of their next-generation firewalls. The company has not provided further details about the alleged security flaw and has not found any evidence of active exploitation.

"Palo Alto Networks is aware of a claim of a remote code execution vulnerability via the PAN-OS management interface. At this time, we do not know the specifics of the claimed vulnerability. We are actively monitoring for signs of any exploitation," the company stated in a security advisory. The company urged customers to follow their recommended best practice deployment guidelines to ensure the correct configuration of access to their management interface.

Users of Cortex Xpanse and Cortex XSIAM with the ASM module can investigate internet exposed instances by reviewing alerts generated by the Palo Alto Networks Firewall Admin Login attack surface rule. The company also recommended that customers prevent internet access to their firewalls' PAN-OS management interface and only permit connections from trusted internal IP addresses.

In a separate support document on the company's community website, administrators were advised to take multiple measures to minimize the exposure of the management interface.

The Cybersecurity and Infrastructure Security Agency (CISA) also issued a warning about ongoing attacks exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition, tracked as CVE-2024-5910. This security flaw, patched in July, can be remotely exploited by threat actors to reset application admin credentials on Internet-exposed Expedition servers.

A proof-of-concept exploit, released last month by Horizon3.ai vulnerability researcher Zach Hanley, demonstrated how CVE-2024-5910 can be chained with a command injection vulnerability (tracked as CVE-2024-9464) to gain "unauthenticated" arbitrary command execution on vulnerable Expedition servers. CVE-2024-9464 can also be used in conjunction with other security flaws, which were addressed by Palo Alto Networks in October, to take over admin accounts and hijack PAN-OS firewalls.

The CVE-2024-5910 vulnerability was added to CISA's Known Exploited Vulnerabilities Catalog, with federal agencies being ordered to secure their systems against attacks within three weeks, by November 28. CISA warned, "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.