Palo Alto Networks warns of critical RCE zero-day exploited in attacks
- by nlqip
Palo Alto Networks is warning that a critical zero-day vulnerability on Next-Generation Firewalls (NGFW) management interfaces, currently tracked as ‘PAN-SA-2024-0015,’ is actively being exploited in attacks.
The flaw was originally disclosed on November 8, 2024, with Palo Alto Networks warning customers to restrict access to their next-generation firewalls because of a “potential” remote code execution (RCE) vulnerability impacting them.
No signs of exploitation were detected at that time, but now, one week later, the situation has changed.
“Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet,” warns an update on the advisory page.
“At this time, we believe devices whose access to the Management Interface is not secured as per our recommended best practice deployment guidelines are at increased risk,” warns the vendor in the same bulletin.
The vulnerability, rated with a CVSS v4.0 score of 9.3 (“critical”), is remotely exploitable and requires no authentication or user interaction.
Once an internet-exposed interface is detected, the attacker can send a specially crafted request to gain unauthorized control over the firewall, potentially enabling them to alter rules, redirect or intercept network traffic, and turn off security protections.
Unfortunately, the vendor does not have sufficient information to formulate a useful list of indicators of compromise at this time, but suggested the following mitigation steps:
- Configure access to the firewall management interface so it is only accessible from trusted internal IP addresses.
- Block all internet access to the management interface to prevent exploitation.
- Place the management interface behind a secured network or VPN to ensure access is controlled and authenticated.
- Review and implement the security guidelines found here.
Despite the dangerous RCE bug being discovered a week ago, Palo Alto Networks has not yet made security updates available to impacted clients.
“At this time, securing access to the management interface is the best recommended action,” says Palo Alto Networks.
“As we investigate the threat activity, we are preparing to release fixes and threat prevention signatures as early as possible.”
Threat monitoring platform The Shadowserver Foundation reported earlier today that it sees approximately 8,700 exposed interfaces.
To ensure that you have applied the mitigations properly, visit the Assets section of the Palo Alto Networks Customer Support Portal to find a list of devices with Internet-facing management interfaces, and look for devices tagged with ‘PAN-SA-2025-0015.’
If none showed up, the scan did not detect any internet-exposed management interfaces. If they do, admins should use the steps mentioned to secure devices.
Source link
lol
Palo Alto Networks is warning that a critical zero-day vulnerability on Next-Generation Firewalls (NGFW) management interfaces, currently tracked as ‘PAN-SA-2024-0015,’ is actively being exploited in attacks. The flaw was originally disclosed on November 8, 2024, with Palo Alto Networks warning customers to restrict access to their next-generation firewalls because of a “potential” remote code execution (RCE)…
Recent Posts
- Arm To Seek Retrial In Qualcomm Case After Mixed Verdict
- Jury Sides With Qualcomm Over Arm In Case Related To Snapdragon X PC Chips
- Equinix Makes Dell AI Factory With Nvidia Available Through Partners
- AMD’s EPYC CPU Boss Seeks To Push Into SMB, Midmarket With Partners
- Fortinet Releases Security Updates for FortiManager | CISA