Palo Alto Networks has confirmed that threat actors are actively exploiting a critical vulnerability that affects firewalls with management interfaces exposed to the internet.
The zero-day, with an assigned critical severity score of 9.3 out of 10, allows unauthenticated attackers to execute commands remotely. Palo Alto Networks urges users to restrict the firewalls’ management interfaces to internal networks only, as the patch is not yet available.
Palo Alto Networks (PAN) is a major cybersecurity company providing advanced firewalls for enterprise networks.
“We strongly recommend customers ensure access to your management interface is configured correctly in accordance with our recommended best practice deployment guidelines. In particular, we recommend that you immediately ensure that access to the management interface is possible only from trusted internal IPs and not from the Internet. The vast majority of firewalls already follow this Palo Alto Networks and industry best practice,” the company’s alert reads.
Once access is restricted to trusted IP addresses, the severity of the vulnerability decreases to 7.5, which is still high. However, any potential hacker would first need to gain privileged access to the trusted IP addresses before exploiting the flaw.
“At this time, we believe devices whose access to the Management Interface is not secured as per our recommended best practice deployment guidelines are at increased risk.”
PAN tracks exposed firewalls through its support portal, and customers can check which devices require remediation. They are flagged with the tag PAN-SA-2024-0015.
The company said it has observed threat actors exploiting the flaw against “a limited number of firewall management interfaces which are exposed to the internet.” Malicious activity originates from some specific IP addresses, which may represent legitimate third-party VPN services. Also, malicious code was observed on affected devices.
Recently, PAN disclosed other vulnerabilities affecting its software.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities affecting Palo Alto Networks Expedition, a migration tool for firewall configurations.
An OS command injection vulnerability allows unauthenticated attackers to run arbitrary OS commands as root and exfiltrate usernames, cleartext passwords, device configurations, and API keys of PAN-OS firewalls. An SQL injection vulnerability allows unauthenticated attackers to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys.
Your email address will not be published. Required fields are markedmarked