Researchers: 2,000 Palo Alto Networks Firewalls Compromised In Recent Attacks

The campaign by threat actors has exploited two vulnerabilities affecting Palo Alto Networks’ PAN-OS software.

A recent wave of cyberattacks exploiting a pair of now-patched vulnerabilities has compromised at least 2,000 Palo Alto Networks firewalls, according to researchers at Shadowserver.

The campaign has exploited two vulnerabilities affecting Palo Alto Networks’ PAN-OS software — a critical-severity authentication bypass flaw (tracked at CVE-2024-0012) and a medium-severity privilege escalation vulnerability (tracked at CVE-2024-9474).

The critical-severity flaw affects certain internet-exposed Palo Alto Networks firewall management interfaces and was first disclosed Nov. 8 (and has also been tracked with the identifier PAN-SA-2024-0015).

Palo Alto Networks, the maker of widely used next-generation firewalls (NGFW), disclosed on Nov. 14 that the critical vulnerability had seen exploitation in cyberattacks.

In a post Thursday, researchers at threat tracker Shadowserver said they’ve been monitoring compromises of Palo Alto Networks devices during the campaign exploiting the two vulnerabilities — and as of Wednesday, the group had “found ~2000 instances compromised.”

In statement provided to CRN Thursday, a Palo Alto Networks spokesperson characterized the impact from the campaign as “limited” and said that the company’s own information suggests that the Shadowserver figure for compromised devices is too high. “While we can't confirm the exact number, I can tell you it is a smaller number,” the spokesperson said in the statement.

Additionally, a small fraction of devices even have the potential to be vulnerable because “less than half a percent of Palo Alto Networks firewalls deployed by customers have an Internet-exposed management interface,” the statement said.

At the same time though, “our perspective is that even one impacted firewall is one too many and that is why we frequently communicate and post when we see any potential vulnerability,” the Palo Alto Networks statement said, adding that the company is “actively working with those who may be impacted.”

Vulnerabilities Can Be Exploited Together

The authentication bypass vulnerability (CVE-2024-0012) has received a “critical” severity rating of 9.3 out of 10.0, while the privilege escalation flaw (CVE-2024-9474) has received a “medium” severity rating of 6.9 out of 10.0.

The two vulnerabilities can be utilized together as part of an attack, Palo Alto Networks said in an advisory posted online.

The authentication bypass flaw “enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474,” the company said.

In a separate post by Palo Alto Networks’ Unit 42 division, published on Wednesday, researchers said they believed that a “limited number of management web interfaces” had been compromised as part of the campaign, which they are tracking under the name “Operation Lunar Peek.”

“Risk of these issues are greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines,” Unit 42 said in the post.

CVE-2024-0012 only affects PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1 and PAN-OS 11.2 deployments on PA-Series, VM-Series and CN-Series firewalls as well as on Panorama (virtual and M-Series) and WildFire appliances, according to the post. The flaws do not impact Cloud NGFW and Prisma Access, the company said.