Security researchers at Palo Alto Networks have identified a ‘limited set of exploitation activities’ related to two critical zero-day vulnerabilities in the PAN-OS operating system, which runs all of the company’s next-generation firewalls. These vulnerabilities, CVE-2024-0012 and CVE-2024-9474, allow attackers with network access to gain administrator privileges and perform malicious actions on compromised devices, respectively. When combined, these flaws enable attackers to elevate privilege levels to root permissions, potentially accessing deeper into a company’s network infrastructure.
Palo Alto Networks has reported that attackers are actively using these vulnerabilities as part of an exploit chain targeting ‘a limited number of device management web interfaces’ exposed to the internet. This marks the first time these zero-day exploits have been widely exploited by malicious actors, according to preliminary data from Shadowserver Foundation, a nonprofit organization monitoring vulnerability exploitation across the globe.
Shadowserver Foundation’s analysis reveals that more than 2,000 Palo Alto Networks firewalls have been compromised so far this year, with attackers exploiting both vulnerabilities simultaneously. The group estimates that these attacks could potentially impact sensitive data and disrupt critical operations for organizations using these devices.
Vulnerability Details
Zero-Day Exploit: CVE-2024-0012
CVE-2024-0012 is a remote privilege escalation (RPE) vulnerability in PAN-OS that allows attackers with network access to gain full administrative privileges on infected devices. Once exploited, this flaw could enable malicious actors to launch unauthenticated command-and-control (C2) attacks, effectively turning the victim into an extension of the attacker’s infrastructure.
Zero-Day Exploit: CVE-2024-9474
CVE-2024-9474 is a remote command execution vulnerability in PAN-OS that grants attackers access to unauthenticated shell commands on infected devices. This flaw bypasses traditional authentication mechanisms, making it easier for attackers to propagate and exploit these zero-day exploits within an organization’s network.
Exploit Chain and Impact
The combination of these two vulnerabilities creates a potent attack vector for malicious actors seeking to compromise sensitive data or disrupt business operations. The exploit chain begins with a remote command execution on CVE-2024-9474, which is then used to elevate privilege levels to root access via the RPE mechanism in CVE-2024-0012. This dual-vector approach minimizes the time required for an attacker to achieve full control of a compromised device, making it highly efficient for large-scale campaigns.
Palo Alto Networks has urged its customers to immediately patch these vulnerabilities and notify their network administrators about the ongoing investigation into this coordinated attack. The company is also working with cybersecurity experts globally to assess the potential impact on its customer base and develop mitigation strategies against such zero-day exploits.
Industry-Wide Concerns
While this report focuses specifically on Palo Alto Networks’ products, similar issues are being investigated across other major vendor ecosystems. Cyber threat intelligence firm AlienVault reported that attackers have been exploiting a series of zero-day vulnerabilities in major firewall vendors, including those affecting critical features like web authentication or remote access management. These widespread efforts underscore the growing sophistication of cyberattacks and the urgent need for organizations to adopt proactive security measures.
Response from Industry Players
In response to these findings, Palo Alto Networks has already published a detailed technical report outlining the specifics of the exploit chain and its implications. The company is emphasizing the importance of zero-day protection in its next-generation firewall platform (NGPF) and has issued patches for customers running affected versions of PAN-OS.
Meanwhile, security firm Arctic Wolf has corroborated these findings with an independent analysis of similar activity reported across other firewall vendors. Both companies are collaborating to address this emerging threat landscape and have urged organizations to review their network security configurations to ensure compliance with the latest best practices in zero-day protection.
Mitigation Strategies
For immediate protection against such attacks, organizations should:
- Apply patches promptly: Userspace Zero-Day Patch Manager (UZPM) is now available for Palo Alto Networks NGPF devices as a pre-configured image-based patching solution.
- Limit privilege escalation opportunities: Implement strict network segmentation and least-privilege policies to minimize the attack surface.
- Conduct regular penetration testing: Validate organizational defenses against potential zero-day exploits using automated frameworks or specialized tools like MITRE ATT&CK Zero-Day Information Sharing Program (ZDISP).
Palo Alto Networks has also called on its customers to share any additional information about this coordinated attack with the company’s security response teams. The company is particularly interested in learning about other instances of similar vulnerabilities exploited by malicious actors and will investigate whether these incidents are part of a larger, coordinated campaign.
Conclusion
The exploitation of zero-day vulnerabilities like CVE-2024-0012 and CVE-2024-9474 highlights the urgent need for organizations to adopt proactive cybersecurity measures. While these specific vulnerabilities remain exploitable, ongoing research into emerging threats will continue to push the boundaries of what is possible in modern cyberattacks. Organizations must stay vigilant, update their defenses regularly, and collaborate with security experts to safeguard against these evolving threats.
Palo Alto Networks remains committed to addressing this issue and supporting its customers in mitigating these risks. For further information or assistance, please contact support@paloaltonetworks.com.
