This post is also available in:
עברית (Hebrew)
Palo Alto Networks (PAN) has issued a critical security advisory, confirming that threat actors are actively exploiting a zero-day vulnerability affecting its firewalls. The flaw, which has received a critical severity score of 9.3 out of 10, allows unauthenticated attackers to remotely execute commands on firewalls whose management interfaces are exposed to the internet.
The company has urged customers to immediately implement a workaround to mitigate the risk, as a patch for the vulnerability is not yet available. Specifically, PAN recommends that users restrict access to the management interface of their firewalls to trusted internal IP addresses, as outlined in their best practice deployment guidelines.
According to Palo Alto Networks, the vulnerability is particularly dangerous for devices whose management interfaces are accessible over the internet. The company noted that once access is restricted to internal networks, the severity of the vulnerability drops to 7.5, still a high level of risk but much less exploitable. To further reduce the risk, customers should ensure that only trusted internal IPs can access the management interface, preventing unauthorized external access.
PAN has observed targeted attacks against exposed firewalls, with malicious activity originating from specific IP addresses, which could potentially be linked to third-party VPN services. These attacks have already resulted in the deployment of malicious code on affected devices. The company has tracked the affected devices under the tag PAN-SA-2024-0015, allowing customers to identify and take appropriate action.
This vulnerability is not an isolated issue. Recently, Palo Alto Networks also disclosed vulnerabilities in its Expedition tool, which is used for firewall configuration migrations. These include an OS command injection flaw that could allow attackers to execute arbitrary commands as root and exfiltrate sensitive data, as well as an SQL injection vulnerability that could expose database contents such as passwords and API keys.
Palo Alto Networks is closely monitoring the situation, users are urged to take immediate steps to secure their devices.
