Palo Alto Networks is warning that a critical zero-day vulnerability on Next-Generation Firewalls (NGFW) management interfaces, currently tracked as ‘PAN-SA-2024-0015,’ is actively being exploited in attacks.
The flaw was originally disclosed on November 8, 2024, with Palo Alto Networks warning customers to restrict access to their next-generation firewalls because of a “potential” remote code execution (RCE) vulnerability impacting them.
No signs of exploitation were detected at that time, but now, one week later, the situation has changed.
“Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet,” warns an update on the advisory page.
“At this time, we believe devices whose access to the Management Interface is not secured as per our recommended best practice deployment guidelines are at increased risk,” warns the vendor in the same bulletin.
The vulnerability, rated with a CVSS v4.0 score of 9.3 (“critical”), is remotely exploitable and requires no authentication or user interaction.
Once an internet-exposed interface is detected, the attacker can send a specially crafted request to gain unauthorized control over the firewall, potentially enabling them to alter rules, redirect or intercept network traffic, and turn off security protections.
Unfortunately, the vendor does not have sufficient information to formulate a useful list of indicators of compromise at this time, but suggested the following mitigation steps:
- Configure access to the firewall management interface so it is only accessible from trusted internal IP addresses.
- Block all internet access to the management interface to prevent exploitation.
- Place the management interface behind a secured network or VPN to ensure access is controlled and authenticated.
- Review and implement the security guidelines found here.
Despite the dangerous RCE bug being discovered a week ago, Palo Alto Networks has not yet made security updates available to impacted clients.
“At this time, securing access to the management interface is the best recommended action,” says Palo Alto Networks.
“As we investigate the threat activity, we are preparing to release fixes and threat prevention signatures as early as possible.”
Threat monitoring platform The Shadowserver Foundation reported earlier today that it sees approximately 8,700…
Click Here to Read the Full Original Article at BleepingComputer…