Palo Alto Networks observed malicious activity from the following IP addresses targeting PAN-OS management web interface IP addresses accessible over the internet:
• 136.144.17[.]*
• 173.239.218[.]251
• 216.73.162[.]*
The company warns that these IPs may represent third-party VPNs with legitimate user activity originating from these IPs to other destinations.
Exploitation Details: The vulnerability allows unauthenticated remote command execution and is being used to deploy a web shell on compromised devices, enabling persistent remote access by threat actors. The flaw, yet to be assigned a CVE identifier, has a CVSS score of 9.3, indicating critical severity.
Mitigation and Recommendations: The vulnerability requires no user interaction or privileges to exploit, and its attack complexity is considered low. However, the severity drops to high (CVSS score: 7.5) if access to the management interface is restricted to a limited pool of IP addresses.
Palo Alto Networks began advising customers on November 8, 2024, to secure their firewall management interfaces amid reports of a remote code execution (RCE) flaw. The vulnerability has been exploited in a “limited number” of instances.
Current Status and Future Actions: There are no details on how the vulnerability was discovered, the threat actors behind the exploitation, or the targets of these attacks. Prisma Access and Cloud NGFW products are not impacted.
Patches for the vulnerability are yet to be released, making it crucial for users to secure access to the management interface immediately if not already done.
Additional Exploits: The advisory follows reports of active exploitation of three other critical flaws in Palo Alto Networks Expedition (CVE-2024-5910, CVE-2024-9463, and CVE-2024-9465) per the U.S. Cybersecurity and Infrastructure Security Agency (CISA). There is currently no evidence linking these activities.