Palo Alto, November 19, 2024 – Palo Alto Networks has successfully patched two critical zero-day vulnerabilities in its PAN-OS management web interface for Next-Generation Firewalls, following reports of active exploitation.
The vulnerabilities were first acknowledged by Palo Alto Networks on November 8, when the company noted rumors of a potential threat. An updated advisory on November 14 revealed that the company had observed threat activity exploiting an unauthenticated remote command execution vulnerability affecting a limited number of firewall management interfaces exposed to the internet.
On November 18, the vulnerabilities were officially assigned two CVEs: CVE-2024-0012, an authentication bypass vulnerability, and CVE-2024-9474, a privilege escalation vulnerability. The combination of these vulnerabilities could allow an attacker with access to the web interface to gain administrative privileges.
Researchers at Rapid7 highlighted that these vulnerabilities could be chained together, allowing adversaries to bypass authentication on exposed management interfaces and escalate their privileges. Although the advisories did not explicitly confirm that this could lead to fully unauthenticated remote code execution as root, the presence of a web shell payload in indicators of compromise suggests that such an outcome is plausible.
Palo Alto Networks stated that the zero-day vulnerabilities impacted only a very small number of its firewalls and were exploitable solely on web interfaces with unrestricted access. The company has identified threat activity targeting a limited number of device management web interfaces, primarily originating from IP addresses associated with anonymous VPN services. Ongoing investigations by Palo Alto Networks are focused on remediating this activity, which has included instances of interactive command execution and the deployment of malware, including web shells, on the affected firewalls.
The swift response to these vulnerabilities underscores the importance of cybersecurity vigilance, particularly for organizations relying on firewall management interfaces exposed to the internet.
