Days after Palo Alto Networks warned over a potential critical vulnerability affecting its PAN-OS software, it has confirmed exploitation in the wild.
As yet there is no CVE allocated, no patch and just limited IOCs available.
The security firm has seen a webshell being installed on compromised machines and on Saturday shared three IPs and checksum or fingerprint.
The incident comes after an unknown threat actor was seen touting a Palo Alto Networks zero day on exploit forums – with the US-based security vendor on November 11 urging customers to pull their management interfaces off the public internet or restrict them to known IP addresses.
This represents the third major vulnerability affecting Palo Alto Networks products under active exploitation this year, after CVE-2024-3400 and CVE-2024-5910 were also abused to target the firm’s customers.
The company moved briskly on spotting news of the potential exploit. It proactively scanned for internet-exposed PAN-OS interfaces, reaching out to customers with alerts and a call for them to follow best practices.
The incident comes days after the NCSC and other Five Eyes partners noted that the majority of the “most exploited” vulnerabilities last year were first exploited as zero days (with network devices/firewalls well represented on the list, including from Cisco, Citrix, Fortinet and others.)
So far this year attackers have also been seen installing persistent malware that survives firmware reinstallation on both Ivanti and Sophos devices.
As The Stack reported, NCSC CTO Ollie Whitehouse last week called on “network defenders to be vigilant with vulnerability management, have situational awareness in operations and call on product developers to make security a core component of product design and life-cycle to help stamp out this insidious game of whack-a-mole at source”...
A search by the Shadowserver Foundation last week showed some 11,000 PAN-OS management interfaces publicly exposed to the internet. The majority are in the US (4,000) and India (1,000) with 200 in the UK.
Palo Alto Networks said on November 15: “At this time securing access to the management interface is the best recommended action.As we investigate the threat activity, we are preparing to release fixes and threat prevention signatures as early as possible. We will continue to update this advisory as more information is available.” It has an RSS feed for that here.
