Palo Alto Networks has issued crucial security updates aimed at addressing two zero-day vulnerabilities in its next-generation firewalls (NGFW), both of which have been actively exploited in real-world attacks. The vulnerabilities, tracked as CVE-2024-0012 and CVE-2024-9474, have been found in the PAN-OS management web interface and pose significant risks to internet-exposed devices.
CVE-2024-0012, the more critical of the two, allows attackers to bypass authentication and gain administrator privileges, enabling configuration tampering and exploitation of other privilege escalation issues. CVE-2024-9474, meanwhile, lets malicious administrators execute root-level actions on the firewall.
The vulnerabilities have raised concerns due to their potential impact. Threat intelligence firm Shadowserver reported over 8,700 exposed PAN-OS interfaces globally, while a Shodan search conducted by Macnica researcher Yutaka Sejiyama identified more than 11,000 affected IPs, predominantly in the US, India, Mexico Thailand, and Indonesia.
While Palo Alto Networks noted that only a limited number of management interfaces have been exploited, devices not adhering to best practices such as those with unrestricted internet access are at significantly higher risk.
Cybersecurity firm releases security patches and mitigation strategies
Palo Alto Networks has released patches for affected versions, including PAN-OS 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, and 11.2.4-h1. The company is also providing updates for other commonly used maintenance releases. To mitigate the risks immediately, administrators are advised to restrict management interface access to trusted internal IPs, enable threat prevention using updated Threat IDs, and route management traffic through data-plane ports for inspection. Palo Alto Networks also recommends decrypting inbound traffic to enhance firewall oversight and inspection capabilities.
In a separate report, the company stated that it was not only actively monitoring the situation but working with customers “identify and further minimise the very small number of PAN-OS devices with management web interfaces exposed to the Internet or other untrusted networks.
“CVE-2024-0012 is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.”
The US Cybersecurity and Infrastructure Security Agency (CISA) has classified the vulnerabilities as critical and added them to its Known Exploited Vulnerabilities Catalog. Federal agencies have been instructed to apply the patches by 9 December 2024. This directive follows similar warnings from CISA about earlier Palo Alto Networks vulnerabilities, emphasising the ongoing threat posed by improperly secured network devices.
Last week, CISA added two identified vulnerabilities in Palo Alto Networks’ Expedition migration tool to the Catalogue. These vulnerabilities were tracked as CVE-2024-9463 and CVE-2024-9465. For this, CISA directed federal agencies to address these issues by 5 December 2024, under its Binding Operational Directive (BOD) 22-01.
Read more: Palo Alto Networks urges urgent patch for firewall hijack vulnerabilities
