Palo Alto Networks Confirms New Zero-Day Being Exploited by Threat Actors

Written by

An unauthenticated remote code execution (RCE) vulnerability against Palo Alto Networks’ internet-exposed firewall management interfaces is actively being exploited, according to the cybersecurity provider.

On November 8, Palo Alto published a security advisory to warn of a zero-day vulnerability affecting some of its PAN-OS firewall management interfaces.

The flaw is an unauthenticated RCE vulnerability affecting internet-exposed new-generation firewall (NGFW) internet management interfaces.

CVSS Score of 9.3

Although the vulnerability has not yet been allocated a CVE, Palo Alto assessed it as critical, with a CVSS of 9.3.

However, the vulnerability only affects public-facing NGFW management interfaces. The manufacturer believes neither Prisma Access nor Cloud NGFW are affected.

“If the management interface access is restricted to IPs, the risk of exploitation is greatly limited, as any potential attack would first require privileged access to those IPs. CVSS for this scenario is 7.5 High,” added the company.

While Palo Alto did not initially mention any threat activity related to this new vulnerability, the firm updated its advisory on November 14 to confirm it has now observed in-the-wild exploitation.

Read more about Palo Alto zero-days: Palo Alto Networks Warns About Critical Zero-Day in PAN-OS

Palo Alto Working on a Patch

Palo Alto informed customers that it is actively developing patches and threat prevention signatures, which are expected to be released soon.

“We strongly recommend customers to ensure access to your management interface is configured correctly in accordance with our recommended best practice deployment guidelines,” Palo Alto added in its advisory.

This comes only days after the US Cybersecurity and Infrastructure Security Agency (CISA) added another vulnerability affecting a Palo Alto product – this time Palo Alto Expedition (CVE-2024-5910) – to its Known Exploited Vulnerability (KEV) catalog.

Fortinet, another firewall provider, has also experienced the disclosure of several zero-day vulnerabilities being actively exploited in the past month.

Photo credit: Michael Vi/Tada Images/Shutterstock

What’s hot on Infosecurity Magazine?