**Critical Zero-Day Vulnerability Exploited in Palo Alto Networks Firewalls**

Palo Alto Networks has issued an urgent warning regarding a critical zero-day vulnerability on its Next-Generation Firewalls (NGFW) management interfaces. This concern, tracked as 'PAN-SA-2024-0015,' has been recently observed being actively exploited in attacks. Initially revealed on November 8, 2024, the vulnerability poses a significant risk, prompting Palo Alto Networks to urge customers to limit access to these firewalls due to a potential remote code execution (RCE) threat.

According to an update on the advisory page, Palo Alto Networks has detected threat activity exploiting an unauthenticated remote command execution vulnerability targeting a limited number of firewall management interfaces exposed to the Internet. Devices that do not adhere to the recommended deployment guidelines are considered to be at higher risk.

The flaw boasts a critical CVSS v4.0 score of 9.3 and is remotely exploitable without the need for authentication or user interaction. Attackers can take control of the firewall by sending a specially crafted request to an internet-exposed interface, potentially allowing them to modify rules, redirect or intercept network traffic, and disable security protections.

While the vendor has yet to release sufficient indicators of compromise, they suggest that customers follow mitigation steps to secure devices. Despite discovering the RCE bug a week ago, Palo Alto Networks has not released security updates yet and advises that securing the management interface is currently the best action.

The Shadowserver Foundation, a threat monitoring platform, reported seeing roughly 8,700 exposed interfaces. Independent threat researcher Yutaka Sejiyama, after scanning Shodan, found 11,180 IP addresses associated with Palo Alto management interfaces exposed online. He confirmed that these IP addresses were active during his investigation three days ago.

To ensure proper application of mitigations, customers are encouraged to visit the Assets section of the Palo Alto Networks Customer Support Portal to locate devices with internet-facing management interfaces. Devices tagged with 'PAN-SA-2025-0015' should be secured using the recommended steps if detected.