Palo Alto Networks and Unit 42 are engaged in tracking a limited set of exploitation activity related to CVE-2024-0012 and are working with external researchers, partners, and customers to share information transparently and rapidly.
Fixes for CVE-2024-0012 are available. Please refer to the Palo Alto Networks Security Advisory for additional details.
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.
Risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines.
Palo Alto Networks has actively monitored and worked with customers to identify and further minimize the very small number of PAN-OS devices with management web interfaces exposed to the Internet or other untrusted networks.
CVE-2024-0012 is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.
Palo Alto Networks has identified threat activity potentially exploiting this vulnerability against a limited number of management web interfaces. The Current Scope of the Attack section includes more information about the observed activity. Relevant indicators and surrounding context are available in the Indicators of Compromise section.
We are tracking the initial exploitation of this vulnerability under the name Operation Lunar Peek.
If you haven’t already, Palo Alto Networks also strongly recommends that customers secure access to your management interface according to our recommended best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the Internet. The vast majority of firewalls already follow Palo Alto Networks and industry best practices.
Please refer to the Palo Alto Networks Security Advisory for up-to-date information about affected products and versions, as well as more guidance about remediating CVE-2024-0012.
For assistance related to a potential compromise, please reach out to Palo Alto Networks support. Unit 42 retainer customers can reach out to Unit 42 directly.
Vulnerabilities Discussed | CVE-2024-0012, CVE-2024-9474 |
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.
Risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines.
CVE-2024-0012 is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.
Palo Alto Networks has identified threat activity targeting a limited number of device management web interfaces. This activity has primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services.
Palo Alto Networks is still actively investigating and remediating this activity. Observed post-exploitation activity includes interactive command execution and dropping malware, such as webshells, on the firewall.
A list of IPs and surrounding context are available in Indicators of Compromise.
Palo Alto Networks recommends that customers update to receive the latest patches that fix CVE-2024-0012. Please refer to the Palo Alto Networks Security Advisory for up-to-date information about affected products and versions.
If you haven’t already, Palo Alto Networks also strongly recommends that customers secure access to your management interface according to our recommended best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the Internet. The vast majority of firewalls already follow Palo Alto Networks and industry best practices.
Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
Palo Alto Networks customers are protected by our products, as listed below. We will update this threat brief as more relevant information becomes available.
Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.
For assistance related to a potential compromise, please reach out to Palo Alto Networks support. Unit 42 retainer customers can reach out to the Unit 42 Incident Response team or call:
Threat Actor IP | Context |
91.208.197[.]167 | Threat actor IPs identified attempting to scan and/or connect to management web interfaces in order to exploit CVE-2024-0012
Many of these IPs have been known to proxy / tunnel traffic for anonymous VPN services, which may include legitimate user activity originating from these IPs to other destinations |
136.144.17[.]146 | |
136.144.17[.]149 | |
136.144.17[.]154 | |
136.144.17[.]161 | |
136.144.17[.]164 | |
136.144.17[.]166 | |
136.144.17[.]167 | |
136.144.17[.]170 | |
136.144.17[.]176 | |
136.144.17[.]177 | |
136.144.17[.]178 | |
136.144.17[.]180 | |
173.239.218[.]251 | |
209.200.246[.]173 | |
209.200.246[.]184 | |
216.73.162[.]69 | |
216.73.162[.]71 | |
216.73.162[.]73 | |
216.73.162[.]74 |
SHA256 | Context |
3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668 | PHP webshell payload dropped on a compromised firewall |
Unit 42 will update these values as additional information is available and sharable.