- Palo Alto Networks releases patch for two serious flaws impacting its firewalls
- The flaws were being abused in the wild to drop malware
- CISA added them to its KEV catalog
Palo Alto Networks has revealed it fixed two major vulnerabilities plaguing its firewalls.
The bugs are an authentication bypass in the PAN-OS management web interface (CVE-2024-0012), and a privilege escalation flaw in PAN-OS (CVE-2024-9474). The former has a severity score of 9.3 (critical), and grants crooks the ability to gain admin privileges on the target endpoint, and the latter has a lower score, 6.9 (medium), but helps run commands on the firewall.
Cybercriminals were chaining the flaws to gain admin privileges and run commands on exposed endpoints, it confirmed. Therefore, users are advised to apply the patches as soon as possible.
Added to CISA’s KEV
Palo Alto said it was looking into ongoing attacks in which the two bugs were chained to strike “a limited number of device management web interfaces” with malware and arbitrary commands.
“This original activity reported on Nov. 18, 2024 primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services,” the company said in an advisory. “At this time, Unit 42 assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which will enable broader threat activity.”
Both vulnerabilities have since been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming in-the-wild abuse. Federal agencies have until December 9 to patch the bugs, or stop using the affected firewalls altogether.
Palo Alto said that only a “very small number” of firewalls is being targeted. However, citing data from the threat monitoring platform Shadowserver, BleepingComputer reported that there are more than 2,700 vulnerable PAN-OS instances.
Since a working exploit is already available, and evidence of abuse exists, Palo Alto “strongly” advises its customers to patch up, and restrict access to trusted accounts only.
“Risk of these issues are greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines,” the company said.
Via BleepingComputer