Security advisories

Palo Alto Zero-Day Vulnerability (CVE-2024-0012)

November 18, 2024 | 1 MIN READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

On November 18th, 2024, Palo Alto disclosed a critical actively exploited authentication bypass zero-day vulnerability impacting Palo Alto Networks PAN-OS. The vulnerability is tracked as CVE-2024-0012 (CVSS: 9.3); exploitation would allow a remote and unauthenticated threat actor to perform administrative actions, edit configurations, and exploit other authenticated vulnerabilities. To date, real-world exploitation has been limited to cases where the device’s management web interface was exposed to the public Internet.

As exploitation is ongoing, it is critical that organizations apply the relevant security patches and restrict access to Palo Alto management web interfaces.

What we’re doing about it

What you should do about it

Additional information

According to Palo Alto, exploitation of CVE-2024-0012 has been identified impacting a “limited number of management web interfaces that are exposed to internet traffic”.

Security researchers from Rapid7 have observed exploitation of the vulnerability in a campaign tracked under the name Operation Lunar Peek. They specifically note that exploitation would allow threat actors to exploit other authenticated privilege escalation vulnerabilities including CVE-2024-9474. Observed post-exploitation activity includes the deployment of webshells for persistent access.

Fixed PAN-OS Versions:

References:

[1] https://security.paloaltonetworks.com/CVE-2024-0012
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-0012
[3] https://www.rapid7.com/blog/post/2024/11/15/etr-zero-day-exploitation-targeting-palo-alto-networks-firewall-management-interfaces/
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-9474

View Most Recent Advisories