Skip to content

Search the site

Palo Alto Networks confirms mystery zero day now exploited: Adds CVE, guidance.

You *still* didn't pull your PAN-OS interface off the public internet? Don't say you weren't warned...

Come on in...

Updated November 19 with CVE, patch notes.

Days after Palo Alto Networks warned over a potential critical vulnerability affecting its PAN-OS software, it has confirmed exploitation in the wild.

The vulnerability has now been allocated CVE-2024-0012 with a base CVSS of 9.3. It is an "authentication bypass" vulnerability that "enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474."

The security firm has seen a webshell being installed on compromised machines and on Saturday shared three IPs and checksum or fingerprint. The vulnerability affects PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability. A patch is now available.

The incident comes after an unknown threat actor was seen touting a Palo Alto Networks zero day on exploit forums – with the US-based security vendor on November 11 urging customers to pull their management interfaces off the public internet or restrict them to known IP addresses.

This represents the third major vulnerability affecting Palo Alto Networks products under active exploitation this year, after CVE-2024-3400 and CVE-2024-5910 were also abused to target the firm’s customers. 

The company  moved briskly on spotting news of the potential exploit. It  proactively scanned for internet-exposed PAN-OS interfaces, reaching out to customers with alerts and a call for them to follow best practices.

The incident comes days after the NCSC and other Five Eyes partners noted that the majority of the “most exploited” vulnerabilities last year were first exploited as zero days (with network devices/firewalls well represented on the list, including from Cisco, Citrix, Fortinet and others.) 

So far this year attackers have also been seen installing persistent malware that survives firmware reinstallation on both Ivanti and Sophos devices.

As The Stack reported, NCSC CTO Ollie Whitehouse last week called on “network defenders to be vigilant with vulnerability management, have situational awareness in operations and call on product developers to make security a core component of product design and life-cycle to help stamp out this insidious game of whack-a-mole at source”... 

A search by the Shadowserver Foundation last week showed some 11,000 PAN-OS management interfaces publicly exposed to the internet. The majority are in the US (4,000) and India (1,000) with 200 in the UK.

Palo Alto Networks said on November 15: “At this time securing access to the management interface is the best recommended action.As we  investigate the threat activity, we are preparing to release fixes and threat prevention signatures as early as possible. We will continue to update this advisory as more information is available.” It has an RSS feed for that here.

Latest