Summary

Palo Alto Networks has identified a critical zero-day vulnerability (PAN-SA-2024-0015) in the PAN-OS software, impacting management interfaces of its Next-Generation Firewalls (NGFW). This vulnerability, rated at a CVSS v4.0 score of 9.3, allows unauthenticated remote command execution and is currently being actively exploited. Threat actors could use it to gain control over the firewall, alter configurations, intercept network traffic, and disable security protections.

Current Situation:

Initially disclosed on November 8, 2024, this flaw had no known exploitations. However, Palo Alto Networks now reports observed threat activity, with a growing number of internet-exposed management interfaces being targeted.

Approximately 11,180 IPs associated with the affected management interfaces are exposed globally, with the highest concentrations in the U.S., India, Mexico, Thailand, and Indonesia.

Affected Systems and/or Applications

The systems affected by the PAN-SA-2024-0015 vulnerability are All Palo Alto Networks Next-Generation Firewalls

(NGFW) based on PAN-OS software, specifically the management interfaces of these devices. The vulnerability impacts NGFW devices that have their management interfaces exposed to the internet or configured without proper access restrictions.

Technical Details / Attack Overview

An unknown threat actor was observed promoting this zero-day vulnerability on exploit forums prior to its confirmed exploitation. Initial investigations revealed that attackers have managed to exploit the vulnerability by installing a web shell on compromised devices, allowing for persistent and remote access. This web shell installation enables attackers to maintain a foothold on the compromised firewalls, potentially allowing them to execute arbitrary commands, manipulate network traffic, and evade detection by traditional security measures.

The company has shared three IP addresses associated with malicious activities observed in the exploitation of this vulnerability:

• 136.144.17[.]*
• 173.239.218[.]251
• 216.73.162[.]*
• Webshell checksum: 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668

These IP addresses may be associated with VPN services, which could mean they are used for both legitimate and malicious activities. Administrators are advised to monitor these IPs in logs but remain cautious, as blocking them could impact legitimate VPN traffic as well.Palo Alto

Threat Landscape and Mitigation Urgency

The Palo Alto Networks incident aligns with broader trends in 2024, where network devices and firewalls are increasingly targeted through zero-day exploits, as noted by intelligence agencies such as the National Cyber Security Centre (NCSC) and other Five Eyes partners. With recent vulnerabilities in network devices from other vendors such as Cisco, Citrix, and Fortinet similarly exploited, this incident underscores the growing focus on network infrastructure by threat actors.

Additionally, attackers have been observed installing persistent malware on network devices from other companies, such as Ivanti and Sophos, that can survive firmware reinstallation—highlighting a shift toward more durable, persistent threats. This pattern reflects NCSC’s warning that defenders must prioritize proactive vulnerability management and ensure only authenticated access to critical management interfaces.

Workarounds and Mitigations

Palo Alto Networks has not yet released patches or security updates. However, administrators should take urgent steps to secure their systems:

1.Restrict Access to Trusted Internal IPs:

• Configure access to the management interface so that it is only accessible from a list of trusted internal IP addresses.
• This reduces the risk of unauthorized access by limiting the interface’s exposure to external networks.

2. Block All Internet Access to the Management Interface:

• Ensure that the management interface is not accessible from the internet. Blocking external access prevents remote exploitation.

3. Place Management Interfaces Behind a Secured Network or VPN:

• Position the management interface behind a secure internal network or a VPN, enforcing controlled and authenticated access to the interface.
• This can further isolate the interface from potential attackers.

4. Review and Implement Palo Alto’s Security Guidelines:

• Palo Alto Networks provides a set of recommended security practices for managing interfaces. Administrators should ensure these guidelines are reviewed and fully implemented.
• Details are available on Palo Alto’s Customer Support Portal under the Assets section, where admins can identify devices exposed to the internet.

5. Below you can find Tips&Trick to secure the MGT access to your PA network devices:

• Tips & Tricks: How to Secure the Management Access of Your Palo Alto Networks Device | LIVEcommunity

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed.

References

• Palo Alto Networks warns of critical RCE zero-day exploited in attacks
• PAN-SA-2024-0015 Critical Security Bulletin: Ensure Access to Management Interface is Secured
• Tips & Tricks: How to Secure the Management Access of Your Palo Alto Networks Device | LIVEcommunity
• Mystery Palo Alto Networks 0-day RCE now actively exploited • The Register
• Palo Alto Networks confirms mystery zero day now exploited
• Palo Alto Networks confirmed active exploitation of recently disclosed zero-day