More than 2,000 Palo Alto Networks firewalls have been compromised in attacks exploiting two recently patched zero-day vulnerabilities, according to threat monitoring platform Shadowserver. The flaws, affecting the PAN-OS management web interface, have been used in chained attacks, allowing hackers to gain administrator privileges and execute root-level commands on vulnerable devices.
The vulnerabilities, identified as CVE-2024-0012 and CVE-2024-9474 earlier this week, have raised alarms in the cybersecurity community. CVE-2024-0012 enables attackers to bypass authentication, granting administrator access, while CVE-2024-9474 allows privilege escalation to run commands with root access. Palo Alto Networks first warned of potential remote code execution (RCE) risks on 8 November, and the issues were officially disclosed last week.
In a statement, Palo Alto Networks confirmed ongoing investigations into attacks leveraging these vulnerabilities. The company noted that attackers have used IP addresses associated with anonymous VPN services to exploit a “limited number of management web interfaces.” According to the company, threat actors have been observed deploying malware and executing commands on compromised firewalls, suggesting a publicly available exploit chain.
Despite Palo Alto Networks’ assessment that only a small number of devices are impacted, Shadowserver reported over 2,700 exposed PAN-OS devices, with around 2,000 confirmed as compromised since the campaign began.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. Federal agencies have been directed to patch their firewalls by 9 December. The vulnerabilities follow earlier warnings about another critical flaw, CVE-2024-5910, in the company’s Expedition firewall configuration migration tool.
Rising concerns over broader exploitation
Palo Alto Networks’ Unit 42 threat intelligence division has stated with “moderate to high confidence” that a functional exploit chain for CVE-2024-0012 and CVE-2024-9474 is now publicly available. This development could potentially enable a broader wave of attacks. The firm has urged customers to secure their firewalls’ management interfaces by restricting access to trusted internal networks.
“The risk of these issues is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines,” the company advised.
The latest exploits add to a series of high-profile vulnerabilities affecting Palo Alto Networks’ products this year. In July, the company patched a flaw that could be exploited by attackers to reset application administrator credentials on Expedition servers exposed to the internet. Another maximum-severity firewall vulnerability, CVE-2024-3400, which was actively exploited and impacted over 82,000 devices globally was addressed earlier this year.
Read more: CISA adds two more vulnerabilities in Palo Alto Networks tools to exploited catalogue
