Palo Alto Networks warns customers of critical firewall zero-day exploit

Palo Alto Networks (PAN) is urging customers to take immediate action to secure their firewall management interfaces after discovering a critical zero-day vulnerability under active exploitation.

The flaw, which allows remote attackers to execute commands without any authentication, can be used to potentially compromise an entire network if exploited successfully. According to Palo Alto Networks, a "limited number" of internet-facing firewall management interfaces have already been targeted.

The advisory clarifies that Prisma Access and Cloud NGFW are not affected by this vulnerability.

What PAN customers need to do

Restrict Management Interface Access: The company emphasizes that the vulnerability poses minimal risk if the management interface is configured according to best practices, which restrict access to trusted internal IPs only.

Identify Vulnerable Devices: PAN offers two methods to identify potentially vulnerable devices: Check the "Remediation Required" list within the Palo Alto Networks Customer Support Portal. Devices with internet-facing management interfaces will be tagged with "PAN-SA-2024-0015".

Look for alerts generated by the "Palo Alto Networks Firewall Admin Login" attack surface rule within Cortex Xpanse or Cortex XSIAM with the ASM module.

What Palo Alto Networks is doing

The company is actively investigating the exploit and is expected to release security patches and threat prevention signatures soon.

Palo Alto Networks is keeping customers updated through their security advisory page and recommends subscribing to their RSS feed or email notifications for the latest information.

Additional information

The severity of this vulnerability is rated as "CRITICAL" with a CVSSv4.0 base score of 9.3. While Palo Alto Networks has observed limited exploitation so far, they have identified potential indicators of compromise (IOCs) including specific IP addresses and a webshell checksum.

Flagged IP addresses: 136.144.17[.]*, 173.239.218[.]251, 216.73.162[.]*

Webshell checksum: 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668

Don't Wait, Secure Your Firewalls Now!

By following Palo Alto Networks' recommendations and taking immediate action to secure your firewall management interfaces, you can significantly reduce the risk of being compromised by this critical zero-day exploit.