An alarming set of chained vulnerabilities in Palo Alto Networks’ PAN-OS software has sparked concerns that attackers could seize administrator privileges through an authentication bypass.
The first vulnerability, identified as CVE-2024-0012, is a flaw that allows unauthenticated users with network access to the management interface to escalate their privileges, tamper with configurations, or exploit other privilege escalation vulnerabilities, including the second bug, CVE-2024-9474.
CVE-2024-9474 is a critical part of the exploit operation, potentially contributing to a chained attack scenario. While Palo Alto Networks has acknowledged the CVE, it has not yet provided in-depth technical details about the vulnerability’s mechanics, leaving room for speculation.
Palo Alto Networks has confirmed the availability of patches to address these issues and said it is “tracking a limited set of exploitation activity” and is “working with external researchers, partners, and customers to share information transparently and rapidly.”
The Scope of the Threat to PAN-OS
Palo Alto Networks disclosed that the main vulnerability in the exploit chain – CVE-2024-0012 – affects PAN-OS versions 10.2, 11.0, 11.1, and 11.2.
Notably, Cloud NGFW and Prisma Access remain unaffected. The exploitation risk significantly decreases when organizations limit access to the management interface to trusted internal IP addresses as per best practices.
Despite these measures, Palo Alto Networks Unit 42 researchers have identified limited exploitation attempts. Dubbed “Operation Lunar Peek,” these attacks involve adversaries executing commands interactively and deploying malware, including webshells, on compromised firewalls.
Also read: Palo Alto Networks Warns Customers of Actively-Exploited PAN-OS vulnerability
PAN-OS Attack Origins and Indicators
Threat actors have primarily targeted exposed management web interfaces using IP addresses linked to anonymous VPN services. Palo Alto Networks has published a detailed list of suspicious IPs and associated indicators of compromise (IOCs), enabling organizations to monitor and mitigate potential threats.
The list includes IPs such as 91.208.197[.]167 and 136.144.17[.]146, among others. Some post-exploitation payloads, including a PHP webshell (SHA256 hash: 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668), have also been detected.
Patching Reduces Risk
Palo Alto Networks has released patches to address CVE-2024-0012 and CVE-2024-9474 and strongly recommends updating affected devices immediately. Organizations should ensure the management interface is accessible only from trusted internal IPs to block unauthorized external access.
For organizations needing further assistance, Palo Alto Networks provides support services. Unit 42 retainer customers can directly contact the threat intelligence team for incident response guidance.
Mitigations Beyond Patching
Securing the management interface is essential. Palo Alto Networks advises implementing best practice deployment guidelines, which include:
- Restricting access to trusted internal IP addresses.
- Avoiding direct exposure of the management interface to the internet.
- Continuously monitoring for IOCs using threat intelligence feeds.
Palo Alto Networks has shared intelligence with the Cyber Threat Alliance (CTA) to strengthen collective defense measures against this exploit. CTA members have leveraged this data to deploy protections and disrupt threat actors systematically.
Organizations should act promptly to apply patches, implement network segmentation, and adopt recommended security configurations. For ongoing updates and technical details, refer to the Palo Alto Networks Security Advisory here. Ensure your defenses remain robust as attackers evolve their tactics.