According to the cybersecurity vendor, an unauthenticated remote command execution (RCE) vulnerability against Palo Alto Networks’ internet-exposed firewall management interfaces is being actively exploited.

On November 8, Palo Alto has published a security advisory to warn of a zero-day vulnerability affecting some of its PAN-OS firewall management interfaces.

The flaw is an unauthenticated RCE vulnerability that affects Internet-exposed next-generation firewall (NGFW) Internet management interfaces.

CVSS score of 9.3

Although the vulnerability has not yet been assigned a CVE, Palo Alto has rated it as critical with a CVSS of 9.3.

However, the vulnerability only affects public NGFW management interfaces. The manufacturer believes that neither Prisma Access nor Cloud NGFW are affected.

“If access to the management interface is limited to IPs, the risk of exploitation is very limited because any potential attack would first require privileged access to those IPs. The CVSS for this scenario is a high 7.5,” the company added.

While Palo Alto initially did not mention any threat activity related to this new vulnerability, the firm updated its advisory on November 14 to confirm that it has now observed exploitation in the wild.

Read more about Palo Alto zero-days: Palo Alto Networks warns of critical zero-day in PAN-OS

Palo Alto working on a patch

Palo Alto informed customers that it is actively developing patches and signatures to prevent threats, which are expected to be released soon.

“We strongly recommend that customers ensure that access to your management interface is properly configured in accordance with our best practice implementation guidelines,” Palo Alto added in his advice.

This comes just days after the US Cybersecurity and Infrastructure Security Agency (CISA) added another vulnerability affecting a Palo Alto product – this time the Palo Alto Expedition (CVE-2024-5910) – in the Known Exploited Vulnerability (KEV) catalog.

Fortinet, another firewall vendor, has also experienced multiple disclosures zero day vulnerabilities being actively exploited in the last month.

Photo credit: Michael Vi/Tada Images/Shutterstock