Palo Alto Networks says it has repaired two major firewall zero-days used in thousands of attacks
- Palo Alto Networks releases patch for two serious bugs affecting its firewalls
- The flaws were exploited in the wild to drop malware
- CISA has added them to the KEV catalogue
Palo Alto Networks has revealed that it has fixed two major vulnerabilities in its firewalls.
The bugs are an authentication bypass in the PAN-OS management web interface (CVE-2024-0012) and a privilege escalation error in PAN-OS (CVE-2024-9474). The former has a severity score of 9.3 (critical) and allows criminals to gain administrative privileges on the target endpoint, and the latter has a lower score, 6.9 (medium), but helps execute commands on the firewall .
Cybercriminals chained the flaws together to gain administrative privileges and execute commands on exposed endpoints, it was confirmed. Therefore, users are advised to apply the patches as soon as possible.
Added to CISA’s KEV
Palo Alto said it is investigating ongoing attacks that link the two bugs together to target “a limited number of device management web interfaces” with malware and arbitrary commands.
“This original activity reported on November 18, 2024 was primarily from IP addresses known to proxy/tunnel traffic for anonymous VPN services,” the company said in an advisory. “Currently, Unit 42 assesses with moderate to high confidence that a functional exploit linking CVE-2024-0012 and CVE-2024-9474 is publicly available, which will enable broader threat activity.”
Both vulnerabilities have since been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming exploitation in the wild. Federal agencies have until December 9 to patch the bugs or stop using the affected firewalls altogether.
Palo Alto said only a “very small number” of firewalls are being targeted. However, citing data from the threat monitoring platform Shadowserver: BleepingComputer reported that there are more than 2,700 vulnerable PAN-OS instances.
Because a working exploit is already available and evidence of exploitation exists, Palo Alto is “strongly” advising its customers to fix and restrict access to trusted accounts.
“The risk of these issues is significantly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses per our recommended best practice implementation guidelines,” the company said.
Via BleepingComputer