By exploiting two zero-day vulnerabilities (both of which have been recently patched), malicious actors were able to compromise more than 2,000 Palo Alto Networks firewalls.
The two exploited vulnerabilities include an authentication bypass that provides malicious actors with administrator privileges in the PAN-OS management web interface (CVE-2024-0012) and a privilege escalation in PAN-OS (CVE-2024-9474).
Palo Alto Networks is investigating ongoing attacks and warns that a chain exploit is likely in existence. Below, security leaders discuss the risks of these flaws as well as what organizations can do to defend against them.
Even before patching, affected customers should immediately restrict access to the web management interface, preferably allowing only internal IPs.
The numbers reported by Shadowserver are very concerning, indicating that 7% of customers were compromised. With such a high ratio, it is essential not only to patch, but also to ensure that the device is free from any potential malware that may have been dropped or malicious configurations that may have been applied. We strongly recommend that users review their firewall configurations after applying the patch to ensure nothing has been altered.
Finally, users should check their audit logs for administrator activity to determine if a threat actor used the web interface for any malicious actions.
The immediate danger is that attackers exploiting these vulnerabilities can gain full control over affected firewalls, compromising the very systems designed to protect sensitive networks. This opens the door for malware deployment, data theft, lateral movement within the network and even complete network shutdowns. For organizations relying on these firewalls, this could mean business disruption, loss of sensitive data and exposure to regulatory and financial consequences.
Beyond patching, security teams must prioritize assessing the potential damage from compromised firewalls. This includes checking for unauthorized access, scanning for malware and reviewing configurations to ensure no additional vulnerabilities were introduced during the attack.
Organizations should also adopt a proactive approach to managing their attack surface, such as restricting access to management interfaces, implementing strong authentication and leveraging Privileged Access Management (PAM) solutions to protect administrative controls. While patching is critical, ongoing vigilance and layered defenses are equally essential to minimize risks from similar threats in the future.
Security teams should consider the following points while approaching these CVEs:
Definitively patching all vulnerable PAN-OS devices is the first step. They should secure access to the management interface by restricting access only to trusted IP addresses, reducing the attack surface. Sift through their installations and make sure none of the IOCs exist on their system. If any of these exist, they should follow their organizational IR steps to remediate these devices.
Teams should go through their installations and verify if they have not been altered in any way and undo those changes. If this cannot be done, the last known good configuration update should be restored and verified working properly. Any virtual PAN-OS versions should be strictly checked for jump-to-host exploit conditions and upgraded or decommissioned irrespectively.