Thousands of Palo Alto Networks Firewalls Compromised in Zero-Day Exploits

Hackers have compromised thousands of Palo Alto Networks firewalls by exploiting two recently patched zero-day vulnerabilities. These vulnerabilities, CVE-2024-0012 and CVE-2024-9474, enable attackers to chain an authentication bypass with privilege escalation, gaining complete control over affected devices.

CVE-2024-0012: This authentication bypass in the PAN-OS management web interface allows remote attackers to gain administrative privileges.

CVE-2024-9474: This privilege escalation vulnerability lets attackers run commands with root access on compromised firewalls.

The first signs of exploitation appeared on November 8, when Palo Alto Networks warned customers to restrict access to their next-generation firewalls due to a potential remote code execution (RCE) flaw. This flaw was later tagged as CVE-2024-0012. By November 18, attackers had begun chaining the vulnerabilities, and the company observed malware deployment and root-level command execution on compromised devices.

Attack Details

According to Palo Alto Networks’ Unit 42, these attacks primarily originated from IP addresses associated with anonymous VPN traffic. The unit assessed with moderate to high confidence that a functional exploit chaining the two vulnerabilities is publicly available. This makes broader exploitation highly likely.

Threat monitoring platform Shadowserver has tracked over 2,700 vulnerable PAN-OS devices worldwide and confirmed that approximately 2,000 firewalls have already been compromised in this ongoing campaign.

Historical Exploits

These recent attacks are part of a troubling trend targeting PAN-OS vulnerabilities:

• In early November, attackers exploited another critical missing authentication flaw (CVE-2024-5910) in the Palo Alto Networks Expedition tool, which was patched in July.
• Earlier this year, CVE-2024-3400—a maximum severity PAN-OS vulnerability—was exploited, affecting over 82,000 devices. CISA added this flaw to its Known Exploited Vulnerabilities (KEV) catalog and required federal agencies to patch their devices within seven days.

Mitigation Steps and Recommendations

To counter this latest threat, Palo Alto Networks has issued strong recommendations for securing management interfaces:

• Restrict Access: Limit access to the management web interface to trusted internal IP addresses.
• Patch Immediately: Apply the latest patches addressing CVE-2024-0012 and CVE-2024-9474. CISA has mandated federal agencies to patch by December 9, 2024.
• Monitor Activity: Use threat monitoring tools to detect unauthorized activity and secure exposed devices.

Palo Alto Networks emphasizes that risks are significantly reduced by following best-practice deployment guidelines. However, the ongoing attacks make swift action essential. The public availability of a chained exploit poses a severe threat to organizations relying on Palo Alto Networks firewalls, and the urgency to secure these devices cannot be overstated.?