Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploit
A critical zero-day vulnerability in Palo Alto Networks' firewall management interface that can allow an unauthenticated attacker to remotely execute code is now officially under active exploitation.
According to the equipment maker, the vulnerability requires no user interaction or privileges to exploit, and its attack complexity is deemed "low." There's no CVE number assigned to the flaw, which received a 9.3 out of 10 CVSSv4.0 rating, and currently has no patch.
Exploitation potentially allows a miscreant to take control of a compromised firewall, providing further access into a network. That said, the intruder must be able to reach the firewall's management interface, either internally or across the internet.
Palo Alto Networks earlier urged network hardening of its products – recommending locking off access to the interface, basically – after learning of an unverified, mystery remote code execution (RCE) flaw in its devices' PAN-OS some days ago. But in a late Thursday update, it confirmed it "has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the internet."
Because of this, customers must "immediately" make sure that only trusted, internal IPs can access the management interface on their Palo Alto firewall systems — and cut off all access to the interface from the open internet.
