Over 2,000 Palo Alto firewalls compromised in attacks exploiting zero-day vulnerabilities

Hackers have compromised over 2,000 Palo Alto Networks firewalls by exploiting two recently patched zero-day vulnerabilities, highlighting the critical need for immediate action from organizations using these devices.

The vulnerabilities in question include:

CVE-2024-0012: An authentication bypass in the PAN-OS management web interface that allows remote attackers to gain administrator privileges.

CVE-2024-9474: A privilege escalation flaw enabling attackers to execute commands with root-level privileges.

Palo Alto Networks initially warned about CVE-2024-0012 on November 8, urging customers to restrict access to their firewalls' management interfaces. The company later disclosed CVE-2024-9474 on November 20, identifying that threat actors were chaining these vulnerabilities to compromise firewalls.

Attack details and threat landscape

The ongoing attack campaign primarily originates from IP addresses associated with anonymous VPN services, according to Palo Alto Networks. Threat actors have been observed deploying malware and executing commands on compromised devices, leading security researchers to believe that a functional exploit chaining the two vulnerabilities is already available to the public.

While Palo Alto Networks maintains that only a "very small number" of devices are affected, cybersecurity monitoring platform Shadowserver has flagged over 2,700 vulnerable PAN-OS firewalls, with more than 2,000 already confirmed as compromised.

CISA mandates federal action

In response, the Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities Catalog. Federal agencies are required to patch affected firewalls by December 9, 2024.

This comes on the heels of earlier warnings about critical vulnerabilities in Palo Alto products. In early November, attackers were found exploiting a separate flaw (CVE-2024-5910) in the Expedition firewall migration tool, a vulnerability patched in July. Earlier in the year, CVE-2024-3400—a maximum severity vulnerability—had already put over 82,000 devices at risk.

Mitigation steps

Palo Alto Networks has reiterated the importance of securing firewalls’ management interfaces by restricting access to trusted internal IP addresses.

“Risk of these issues is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses,” the company said in a recent advisory.

Organizations are urged to:

Immediately patch their firewalls to address CVE-2024-0012 and CVE-2024-9474.

Restrict access to the management interface to trusted networks.

Monitor for signs of compromise, including unauthorized changes or unexpected traffic.