Critical RCE flaw reported in Palo Alto Networks Firewall Management interfaces
Take action: If you are running Palo Alto firewalls, or anything really - make double sure that the management interface of all Palo Alto products is enabled for access only from trusted internal IP addresses, and blocking all internet access to the management interface. There will be a patch, but don't wait for it. Act NOW.
Learn More
Palo Alto Networks has disclosed a critical zero-day vulnerability affecting their Next-Generation Firewalls (NGFW) management interfaces, tracked as PAN-SA-2024-0015 (CVSS score 9.3). The vulnerability allows attackers to gain unauthorized control over firewalls, potentially enabling them to alter security rules, redirect or intercept network traffic, and disable security protections.
The vulnerability, discovered on November 8, 2024, is an unauthenticated remote code execution (RCE) flaw that requires no user interaction and has low attack complexity. On November 15, 2024, the company confirmed active exploitation of this vulnerability in the wild.
The Shadowserver Foundation is reporting approximately 8,700 exposed interfaces, while independent Shodan scans revealed 11,180 IP addresses associated with exposed Palo Alto management interfaces. The geographical distribution of affected devices shows the highest concentration in the United States, followed by India, Mexico, Thailand, and Indonesia.
The security team has identified specific attack patterns, including threat activity originating from multiple IP addresses (136.144.17[.], 173.239.218[.]251, and 216.73.162[.]).
A webshell with checksum 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668 has been observed in these attacks.
While most Palo Alto Networks products are affected if their management interfaces are exposed to the internet, the company has confirmed that Prisma Access and Cloud NGFW deployments are not vulnerable to this exploit. Currently, no security patches are available, but the company is actively working on developing fixes and threat prevention signatures.
Palo Alto Networks strongly recommends implementing several immediate measures:
- Restricting management interface access to trusted internal IP addresses only
- Blocking all internet access to the management interface
- Placing the management interface behind a secured network or VPN
- Following the company's documented security guidelines
Organizations can verify their exposure by checking the Assets section of the Palo Alto Networks Customer Support Portal, where devices with internet-facing management interfaces are tagged with 'PAN-SA-2024-0015'. Given the critical nature of this vulnerability and confirmed exploitation, immediate implementation of these mitigations is strongly advised while awaiting official patches.
