Palo Alto Networks Patches Critical Zero-Day Firewall Bug

The security vendor's Expedition firewall appliance's PAN-OS interface tool has racked up four critical security vulnerabilities under active attack in November, leading it to advise customers to update immediately and take them off the Internet.

Laptop with Palo Alto networks logo
Source: tofino via Alamy Stock Photo

Editor's note: This article was updated on 11-19-24 for clarity.

Palo Alto Networks (PAN) put out an advisory on Friday, Nov. 15, warning its customers that a critical, unauthenticated remote code execution (RCE) bug is under exploit by cybercriminals in its Expedition firewall interface — making this the tool's fourth vulnerability under active attack identified in just the past week.

PAN's Expedition firewall management is a utility the vendor uses to transition its new customers from their previous system to PAN-OS. For the latest bug, it issued a critical security bulletin warning about fresh threat activity targeting an unauthenticated remote command injection vulnerability (CVE-2024-0012, CVSS 9.3). (Editor's note: This bug was added to the CISA KEV list on 11-18). The company didn't specify exactly when it became aware of the zero-day, but it issued patches today for the bug, which arises from a missing authentication check.

"Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet," Palo Alto Network's security bulletin said.

The day prior to the PAN bulletin, on Nov. 14, CISA added two separate, critical Expedition flaws disclosed on Nov. 8 to its Known Exploited Vulnerabilities Catalog: an OS command injection vulnerability (CVE-2024-9463) with a CVSS score of 9.9; and an SQL injection vulnerability (CVE-2024-9465) with a CVSS score of 9.2. And just a week before, another PAN Expedition vulnerability, a missing authentication bug disclosed July 10, made the KEV list (CVE-2024-5910).

Related:Venom Spider Spins Web of New Malware for MaaS Platform

How to Secure an Exposed Expedition Firewall Management System

Customers should patch their systems as soon as possible; the vendor urges Expedition users to ensure their systems are not reachable from the public Internet.

And although most of these affected firewalls already follow that best practice, PAN recommends that customers, "immediately ensure that access to the management interface is possible only from a trusted internal IPs and not from the Internet."

According to the ShadowServer Foundation's IoT device tracking statistics, on Nov. 14 there were more than 8,700 instances of PAN-OS Management systems connected to the Internet and vulnerable to these exploits. That number is down from around 11,000 observed prior to PAN's Nov. 8 bulletin.

"The security of our customers is our highest priority, and we have been in daily contact with customers who we have identified as at heightened risk," a statement from PAN provided to Dark Reading read. "We recently became aware of malicious activity targeting a small number of firewalls that we believe had a management interface exposed to the Internet. This vulnerability could potentially result in unauthorized access to these specific firewalls. We are actively monitoring the situation and are committed to providing our customers with the support they need to stay secure."

Related:Ransomware's Grip on Healthcare

The company added that Prisma Access and Cloud NGFW are not believed to be affected.

Experts urge cybersecurity teams not to underestimate the risk of leaving these vulnerabilities exposed.

“OS commanding and SQL injection are among the most critical vulnerabilities in software," says Ray Kelly, a cybersecurity expert with Black Duck. "When both vectors exist in a single product, it essentially exposes the application completely. These vulnerabilities have been known for decades and can be easily detected using most modern Web application scanning tools.”

Last summer, PAN announced Expedition is being phased out and will no longer be supported as of January 2025.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights