Active Exploitation of PAN-OS Firewall Zero-Day Vulnerability

Credited by Freepik

VTA-004500 – Active Exploitation of PAN-OS Firewall Zero-Day Vulnerability

Palo Alto Networks has identified a critical zero-day vulnerability in its PAN-OS firewall management interface, actively exploited in the wild. The flaw, with a CVSS score of 9.3, allows unauthenticated remote command execution and requires no user interaction or privileges.

If the management interface access is restricted to trusted IPs, the severity decreases to 7.5. Indicators of Compromise (IoCs) include IP addresses linked to possible exploitation activity, though these may also involve legitimate VPN traffic. The vulnerability has been used to deploy web shells, enabling persistent remote access.

Patches are not yet available, making immediate interface security critical. Prisma Access and Cloud NGFW products are unaffected. This advisory follows reports of separate, actively exploited flaws in Palo Alto’s Expedition tool (CVE-2024-5910, CVE-2024-9463, CVE-2024-9465), which are not linked to this incident

Severity:
Medium

Attack Surface:
Infrastructure, Web Application

Tactics:
Command and Control, Execution, Persistence, Privilege Escalation

Indicator of Compromise:
https://otx.alienvault.com/pulse/6739adbea6455ea98c54aa6a

References:
1. https://thehackernews.com/2024/11/pan-os-firewall-vulnerability-under.html

SuperPRO’s Threat Countermeasures Procedures: 
1. Limit access to the firewall’s management interface to a small, trusted pool of IP addresses to reduce the attack surface and increases the difficulty for attackers to exploit the vulnerability.
2. Regularly review logs and network activity for the identified malicious IP addresses.
3. Ensure the management interfaces are isolated from the internet through segmentation and firewall rules, blocking unauthorized external access.
4. Follow Palo Alto Networks’ advisories on hardening the interface and implement recommended configurations until official patches are available.
5. Implement monitoring tools to detect exploitation attempts, such as web shell activity, and create response plans to isolate and remediate compromised systems quickly.

Contributed by: Haziq