CISA: Just-Disclosed Palo Alto Networks Firewall Bug Under Active Exploit

The bug tracked as CVE-2022-0028 allows attackers to hijack firewalls without authentication, in order to mount DDoS hits on their targets of choice.

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that a high-severity security vulnerability in Palo Alto Networks firewalls is being actively exploited in the wild.
The bug (CVE-2022-0028, CVSS severity score of 8.6), exists in the PAN-OS operating system that runs the firewalls, and could allow a remote threat actor to abuse them to deploy distributed denial-of-service (DDoS) attacks against targets of their choice — without having to authenticate.
Two weeks since its disclosure, CISA said that it has now seen the bug being adopted by cyber adversaries in the wild, and its added it to its
Known Exploited Vulnerabilities (KEV) catalogue
. Attackers can exploit the flaw to deploy both reflected and amplified versions of DDoS floods.
Exploitation of the issue can help attackers to cover their tracks and location, according to the original Palo Alto Networks advisory issued earlier this month.
The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target, according to the firm.
The good news is that this vulnerability does not provide attackers with access to the victims internal network, says Phil Neray, vice president of cyber-defense strategy at CardinalOps. The bad news is that it can halt business-critical operations [at other targets] such as taking orders and handling customer service requests.
He notes that DDoS attacks arent just mounted by small-time nuisance actors, as is often assumed: DDoS has been used in the past by adversary groups like APT28 against the World Anti-Doping Agency.
The bug arises thanks to a URL-filtering policy misconfiguration, so instances that use a non-standard configuration are at risk. To be exploited, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface, the
advisory read
.
Bud Broomhead, CEO at Viakoo, says bugs that can be marshaled into service to support DDoS attacks are in more and more demand by cybercriminals -- and are increasingly exploited.
The ability to use a Palo Alto Networks firewall to perform reflected and amplified attacks is part of an overall trend to use amplification to create massive DDoS attacks, he says. Googles recent announcement of an attack which peaked at 46 million requests per second, and other record-breaking DDoS attacks will put more focus on systems that can be exploited to enable that level of amplification.
The speed of weaponization also fits the trend of cyberattackers taking increasingly less time to put newly disclosed vulnerabilities to work — but this also points to an increased interest in lesser-severity bugs on the part of threat actors.
Too often, our researchers see organizations move to patch the highest-severity vulnerabilities first based on the CVSS, Terry Olaes, director of sales engineering at Skybox Security, wrote in an emailed statement. Cybercriminals know this is how many companies handle their cybersecurity, so theyve learned to take advantage of vulnerabilities seen as less critical to carry out their attacks.
But
patch prioritization
continues to be a challenge for organizations of all stripes and sizes thanks to the sheer number of patches that are disclosed in a given month — it totals
hundreds of vulnerabilities
that IT teams need to triage and assess, often
without much guidance to go on
. And furthermore Skybox Research Lab
recently found
that new vulnerabilities that went on to be exploited in the wild rose by 24% in 2022.
That said, any vulnerability that CISA warns you about, if you have in your environment, you need to patch now, Roger Grimes, data-driven defense evangelist at KnowBe4, tells Dark Reading. The [KEV] lists all the vulnerabilities that were used by any real-world attacker to attack any real-world target. Great service.
He notes that the list is exhaustive: It isnt just full of Windows or Google Chrome exploits. I think the average computer security person would be surprised about whats on the list. Its full of devices, firmware patches, VPNs, DVRs, and a ton of stuff that isnt traditionally thought of as being highly targeted by hackers.
For the newly exploited PAN-OS bug, patches are available in the following versions:
PAN-OS 8.1.23-h1
PAN-OS 9.0.16-h3
PAN-OS 9.1.14-h4
PAN-OS 10.0.11-h1
PAN-OS 10.1.6-h6
PAN-OS 10.2.2-h2
And all later PAN-OS versions for PA-Series, VM-Series and CN-Series firewalls.
To determine if the damage is already done, organizations should ensure they have solutions in place capable of quantifying the business impact of cyber-risks into economic impact, Olaes wrote.
He added, This will also help them identify and prioritize the most critical threats based on the size of financial impact, among other risk analyses such as exposure-based risk scores. They must also enhance the maturity of their vulnerability management programs to ensure they can quickly discover whether or not a vulnerability impacts them and how urgent it is to remediate.
Grimes notes that its a good idea to subscribe to CISAs KEV emails as well.
If you subscribe, youll get at least an email a week, if not more, telling what the latest exploited vulnerabilities are, he says. It isnt just a Palo Alto Networks problem. Not by any stretch of the imagination.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
CISA: Just-Disclosed Palo Alto Networks Firewall Bug Under Active Exploit