Palo Alto Networks PAN-OS management interfaces under attack

Palo Alto Networks confirmed Thursday that a critical zero-day vulnerability in its firewall management interfaces is under exploitation in the wild.

The vulnerability, tracked as PAN-SA-2024-0015 by the vendor, is an unauthenticated remote command execution vulnerability in PAN-OS firewall software that Palo Alto Networks assigned a 9.3 CVSS score. Word of a potential flaw came on Nov. 8 when the company published a bulletin (archived via Wayback Machine) warning that "Palo Alto Networks is aware of a claim of a remote code execution vulnerability via the PAN-OS management interface," but the vendor said it did not know any specifics. Palo Alto Networks encouraged customers to secure access to their management interfaces.

On Thursday evening the bulletin was updated to a security advisory disclosing exploitation against a newly discovered vulnerability.

"Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet. We are actively investigating this activity," the advisory read. "We strongly recommend customers ensure access to your management interface is configured correctly in accordance with our recommended best practice deployment guidelines."

Due to the emerging nature of this latest flaw, it is still under investigation. No CVE has been assigned to the zero-day vulnerability and no patches have been released.

Palo Alto Networks did publish any IOCs, though it promised it was "preparing to release fixes and threat prevention signatures as early as possible." The company reiterated that the best course of action was to secure access to the management interface and provided instructions for doing so.

"In particular, we recommend that you immediately ensure that access to the management interface is possible only from trusted internal IPs and not from the Internet," the advisory read. "The vast majority of firewalls already follow this Palo Alto Networks and industry best practice."

CISA also published a security alert with similar advice.

TechTarget Editorial contacted Palo Alto Networks for additional comment.

Piotr Kijewski, CEO of security non-profit The Shadowserver Foundation, wrote in a post on Mastodon Friday that the foundation scanned for exposed PAN-OS Management Interfaces and that approximately 11,000 were exposed globally, with about 4,000 in the United States. On Friday, Kijewski wrote that the number had dropped to approximately 8,700 in a subsequent scan.

"Get these Interfaces off public Internet access NOW!" Kijewski wrote the post.

PAN-SA-2024-0015 is not the first critical PAN-OS flaw to come under attack in 2024. In April, Palo Alto disclosed CVE-2024-3400, a remote code injection flaw affecting the GlobalProtect gateway in PAN-OS. Like this latest bug, the vendor warned of "limited" exploitation at the time.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.