Critical Zero-Day Vulnerability in Palo Alto Networks' PAN-OS Firewall Spotted and Actively Exploited
ICARO Media Group
### Critical Zero-Day Vulnerability Found in Palo Alto Networks' PAN-OS Firewall
Palo Alto Networks recently identified a zero-day vulnerability in its PAN-OS firewall management interface that is actively being exploited by threat actors. In response, the network security provider has released new indicators of compromise (IoCs) to assist users in identifying and mitigating potential threats.
The company reported detecting malicious activity from specific IP addresses targeting PAN-OS management web interfaces that are accessible via the internet. However, it cautioned that these IP addresses might also be associated with legitimate user activity originating from third-party VPNs.
The identified vulnerability, which has not yet received a Common Vulnerabilities and Exposures (CVE) identifier, has a CVSS score of 9.3, classifying it as critically severe. This flaw permits unauthenticated remote command execution and does not require user interaction or administrative privileges to exploit. The attack complexity is considered low, making the vulnerability particularly dangerous.
If access to the management interface is limited to a specific set of IP addresses, the severity rating for the vulnerability drops to high, with a CVSS score of 7.5. In such cases, attackers would need to obtain privileged access to those restricted IP addresses before executing an attack.
On November 8, 2024, Palo Alto Networks began advising its customers to secure their firewall management interfaces following reports of a remote code execution (RCE) flaw. The company has since confirmed that this vulnerability has been exploited in a limited number of instances. However, details regarding how the vulnerability was discovered, the identities of the threat actors, and the specific targets remain undisclosed. Notably, the defect does not affect Prisma Access and Cloud NGFW products.
No patches have been released for this vulnerability yet, making it crucial for users to immediately secure access to their management interfaces. This advisory coincides with ongoing exploitation of three other critical flaws (CVE-2024-5910, CVE-2024-9463, and CVE-2024-9465) in the Palo Alto Networks Expedition, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Currently, there is no indication that these activities are connected.
