Malicious hackers have compromised potentially thousands of organizations by exploiting two new zero-day vulnerabilities found in widely used software made by cybersecurity giant Palo Alto Networks.
Security researchers at Palo Alto Networks said Wednesday that they have observed a “limited set of exploitation activity” related to the two vulnerabilities in PAN-OS, the operating system that runs on all of Palo Alto’s next-generation firewalls. The bugs are considered zero-days because the company had no time to release patches before the bugs were exploited.
The company said it has observed exploitation of the two bugs, including CVE-2024-0012, which allows an attacker with network access to the management web interface to gain administrator privileges, while the second bug, tracked as CVE-2024-9474, allows an attacker to perform actions on the compromised firewall with higher root privileges.
When these vulnerabilities are used together, an attacker can remotely plant malicious code on affected firewalls with the highest possible privileges, allowing for deeper access to a company’s network.
Palo Alto Networks says attackers are now using their own functional exploit chaining the two flaws together to target a “limited number of device management web interfaces” exposed to the internet.
According to the Shadowserver Foundation, a nonprofit organization that scans and monitors the internet for vulnerability exploitation, hackers have already compromised more than 2,000 affected Palo Alto Networks firewalls by leveraging the two recently patched flaws. The nonprofit found that the highest number of compromised devices were located in the United States, followed by India, with hackers also exploiting firewalls across the United Kingdom, Australia, and China.
Palo Alto Networks declined to confirm how many firewalls had been compromised when asked by TechCrunch.
U.S. cybersecurity company Arctic Wolf said this week that its researchers also observed hackers exploiting the two Palo Alto firewall vulnerabilities as early as November 19 to break into customer networks, following the release of a proof-of-concept exploit.
“Upon successful exploitation, we have observed threat actors attempting to transfer tools into the environment and exfiltrate config files from the compromised devices,” said Andres Ramos, a threat intelligence researcher at Arctic Wolf, in the company’s blog post.
Palo Alto Networks released patches for the two vulnerabilities and urged organizations to patch as soon as possible. U.S. cybersecurity agency CISA has also added the two vulnerabilities to its Known Exploited Vulnerabilities catalog, which effectively orders civilian federal agencies to patch their systems within a three-week window.
According to researchers at security firm watchTowr Labs, who reverse-engineered Palo Alto’s patches, the flaws resulted from basic mistakes in the development process.
This is the latest vulnerability in recent months found in corporate security devices, such as firewalls, VPN products, and remote access tools, which sit on the edge of a company’s network to function as digital gatekeepers. This is Palo Alto Networks’ second major security alert of the year, alongside flaws found in similar products developed by cybersecurity vendors Ivanti and Check Point.