In a significant cybersecurity incident, over 2,000 Palo Alto Networks firewalls have been compromised by attackers exploiting two recently patched zero-day vulnerabilities.

Incident Overview

The breaches involve two critical vulnerabilities:

1. CVE-2024-0012: An authentication bypass in the PAN-OS management web interface, allowing remote attackers to gain administrator privileges without authentication.

2. CVE-2024-9474: A privilege escalation flaw enabling attackers to execute commands on the firewall with root privileges.

Palo Alto Networks initially alerted customers on November 8, 2024, advising them to restrict access to their next-generation firewalls due to a potential remote code execution (RCE) vulnerability, later identified as CVE-2024-0012.

Scope and Impact

The company is investigating ongoing attacks that chain these two vulnerabilities to target a limited number of device management web interfaces. Threat actors have been observed dropping malware and executing commands on compromised firewalls, indicating the likely availability of a functional exploit chain.

Despite the company's assessment that only a "very small number" of PAN-OS devices are impacted, threat monitoring platform Shadowserver reported tracking over 2,700 vulnerable PAN-OS devices. Approximately 2,000 of these have been hacked since the start of the ongoing campaign.

Official Response

Palo Alto Networks has released security updates addressing these vulnerabilities and strongly advises customers to secure their firewalls' management interfaces by restricting access to trusted internal IP addresses. The company emphasizes that securing access to the management interface is the best recommended action at this time.

Implications for the Cybersecurity Community

This incident underscores the critical importance of promptly applying security patches and adhering to best practices for securing management interfaces. Organizations using Palo Alto Networks firewalls are urged to review their security configurations and ensure that all recommended updates and mitigations are implemented to protect against potential exploitation.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.