Palo Alto Networks Patches Critical Zero-Day Firewall Bug

The security vendors Expedition firewall appliances PAN-OS interface tool has racked up four critical security vulnerabilities under active attack in November, leading it to advise customers to update immediately and take them off the Internet.

Editors note: This article was updated on 11-19-24 for clarity.
Palo Alto Networks (PAN) put out an advisory on Friday, Nov. 15, warning its customers that a critical, unauthenticated remote code execution (RCE) bug is under exploit by cybercriminals in its Expedition firewall interface — making this the tools fourth vulnerability under active attack identified in just the past week.
PANs Expedition firewall management is a utility the vendor uses to transition its new customers from their previous system to PAN-OS. For the latest bug, it issued a
critical security bulletin warning
about fresh threat activity targeting an unauthenticated remote command injection vulnerability (CVE-2024-0012, CVSS 9.3).
(Editors note: This bug was
added to the CISA KEV list
on 11-18).
The company didnt specify exactly when it became aware of the zero-day, but it issued patches today for the bug, which arises from a missing authentication check.
Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet, Palo Alto Networks security bulletin said.
The day prior to the PAN bulletin, on Nov. 14, CISA added
two separate, critical Expedition flaws
disclosed on Nov. 8 to its Known Exploited Vulnerabilities Catalog: an OS command injection vulnerability (CVE-2024-9463) with a CVSS score of 9.9; and an SQL injection vulnerability (CVE-2024-9465) with a CVSS score of 9.2. And just a week before, another PAN Expedition vulnerability, a missing authentication bug disclosed July 10, made the
KEV list
(CVE-2024-5910).
Customers should patch their systems as soon as possible; the vendor urges Expedition users to ensure their systems are not reachable from the public Internet.
And although most of these affected firewalls already follow that best practice, PAN recommends that customers, immediately ensure that access to the management interface is possible only from a trusted internal IPs and not from the Internet.
According to the ShadowServer Foundations IoT device tracking statistics, on Nov. 14 there were more than 8,700 instances of
PAN-OS Management systems
connected to the Internet and vulnerable to these exploits. That number is down from around 11,000 observed prior to PANs Nov. 8 bulletin.
The security of our customers is our highest priority, and we have been in daily contact with customers who we have identified as at heightened risk, a statement from PAN provided to Dark Reading read. We recently became aware of malicious activity targeting a small number of firewalls that we believe had a management interface exposed to the Internet. This vulnerability could potentially result in unauthorized access to these specific firewalls. We are actively monitoring the situation and are committed to providing our customers with the support they need to stay secure.
The company added that Prisma Access and Cloud NGFW are not believed to be affected.
Experts urge cybersecurity teams not to underestimate the risk of leaving these vulnerabilities exposed.
“OS commanding and SQL injection are among the most critical vulnerabilities in software, says Ray Kelly, a cybersecurity expert with Black Duck. When both vectors exist in a single product, it essentially exposes the application completely. These vulnerabilities have been known for decades and can be easily detected using most modern Web application scanning tools.”
Last summer, PAN announced
Expedition is being phased out
and will no longer be supported as of January 2025.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Palo Alto Networks Patches Critical Zero-Day Firewall Bug