![\"PAN-OS](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcwJUfFrUKigX0NuCHrPHqrdr3gc5uz1KOmOF2WhBhKOsoxE2Kz1Gg9J3iuS78kzf9gaKHQ8fgjVD6A73YZpWOWyDxJhyKEV6iCp_IJn2fZp_kQQ0HnqzVrZw_dWLER0Eth5d0ydOPhlVdAVgMvaXoHeXayw6OgJEIP09Yw0XPKOwi02yuRpBbMrOrWwnl/s728-rw-e365/paloaltonetworks-exploit.png\" "\\"PAN-OS")
Palo Alto Networks has published new indicators of compromise (IoCs) following the confirmation of a zero-day vulnerability in its PAN-OS firewall management interface being actively exploited.
The company stated that it detected malicious activity from specific IP addresses targeting PAN-OS management web interface IP addresses accessible over the internet:
- 136.144.17[.]*
- 173.239.218[.]251
- 216.73.162[.]*
![\"Cybersecurity\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXVjKHNKDH4WdMsPjT21ztu0Bi0rTuZJGnGZU4GDPVBYLsCZA6ZSQPi9N5P31vBC5Rok2-ri9zF3Qf81Yy3Sg4HxyMA8HOhJK4NGGmbOS-rF-nTOlz_EosU1sjbmcHH_4wEgc_1n08nI_cnHBsa9yCyQFnoW3p0N7MKwuUJqaK7miyuLBi9crEBsh4BS1T/s728-e100/zz-inside-d.png\")
The company cautioned that these IP addresses might belong to third-party VPNs with legitimate user activity, originating from these IPs to other destinations.
A recent update from Palo Alto Networks reveals that the vulnerability is exploited to install a web shell on compromised devices, enabling threat actors to gain persistent remote access.
The flaw, still without a CVE identifier, carries a critical severity CVSS score of 9.3, allowing for unauthenticated remote command execution.
The company noted that the vulnerability can be exploited without user interaction or privileges, with a \”low\” attack complexity.
However, if access to the management interface is restricted to a limited pool of IP addresses, the flaw’s severity decreases to high (CVSS score: 7.5), as threat actors will need privileged access to those IPs first.
On November 8, 2024, Palo Alto Networks started advising customers to secure their firewall management interfaces due to reports of a remote code execution (RCE) flaw. It has been confirmed that the undisclosed vulnerability has been exploited against a limited number of instances.
Details regarding the origin of the vulnerability, the threat actors involved, and the targets of these attacks are currently unavailable. Prisma Access and Cloud NGFW products remain unaffected by the vulnerability.
![\"Cybersecurity\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAxSbAOIwY5p0wWv5znF6Nj42k-fIocSD-CC_fgf7B4WQKPZbJCilURnF5BAgXpuwEEjcBU2BeRdKaag8fw81D37T0OJG7Arl683j5xIhSrEv-88wJKyGgPtRSH1A-5Sz6Oa97Zg8gS0UhfS1E-6PfJwRE2o2yqakqaiVyW8RXxs4Pgxi3c7MA2z3jASGT/s728-e100/cis-d.png\")
There are no patches available for the vulnerability yet, underscoring the need for users to promptly secure access to the management interface if not already done.
This advisory coincides with active exploitation of three critical flaws in Palo Alto Networks Expedition (CVE-2024-5910, CVE-2024-9463, and CVE-2024-9465) as reported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). There is no evidence suggesting a connection between these activities at this time.
(This is a developing story. Please check back for more updates.)
