New Palo Alto Networks Firewall Vulnerabilities Disclosed
Here we go again... ⤵️
Two new vulnerabilities in Palo Alto Networks (PANW) firewall devices, CVE-2024-0012 and CVE-2024-9474, were recently disclosed, revealing a coordinated global exploitation effort by a threat actor. PANW is tracking this activity under the name Operation Lunar Peek (details here).
Increasingly Sophisticated Attacks on Firewalls
This threat highlights an ongoing trend we've been emphasizing throughout the year: firewall vendors are facing increasingly sophisticated attackers targeting zero-day vulnerabilities in NGFW and VPN devices (see here and here).
A recent report from Sophos (read here) is an exception—most firewall vendors remain mostly silent about this issue. Their ability to respond and mitigate is limited in a landscape where appliances are often unpatched, misconfigured, or lack sufficient telemetry, and are deployed on customer premises.
Management Interfaces: A Critical Weak Spot
In this case, the vulnerabilities do not affect VPN remote access—which is inherently designed to be accessible via the internet—but instead target firewalls' management interfaces. Alarmingly, despite Palo Alto Networks’ best practice recommendations, these interfaces are frequently exposed online:
8,700 exposed PAN-OS management interfaces, according to the threat monitoring platform Shadowserver.
15,429 public-facing servers globally running Palo Alto Networks’ management interface, per Shodan.
“Only” 66 devices currently in the Adriatic region.