Palo Alto PAN-SA-2024-0015 : Critical Zero-Day Under Active Exploitation

Update 11/18: A Tenable blog post has been published regarding the zero-day vulnerability described in Palo Alto's PAN-SA-2024-0015 security advisory. We recommend reviewing our blog post for the latest information about the zero-day now tracked as  CVE-2024-0012 and a related CVE which was also patched by Palo Alto on November 18, CVE-2024-9474.

On November 8, Palo Alto published security advisory PAN-SA-2024-0015 advising that they were aware of a claim about a remote code execution vulnerability affecting the PAN-OS management interface. At the time, no specific information was known and they were still investigating the issue. 

On November 14, the advisory was updated to indicate that known exploitation targeting an unauthenticated remote command execution vulnerability was discovered. Palo Alto’s advisory notes that a limited number of devices appear to have been impacted in cases where those devices had their management interface exposed to the internet. According to Palo Alto, best practices for the management interface are to restrict access to trusted internal IP addresses.

At this time, no patch or CVE identifier has been released from Palo Alto and their advisory currently lists steps to identify devices which may be exposed as well as a set of Frequently Asked Questions about this ongoing investigation.

We recommend reviewing the security advisory for more information about this zero-day exploitation and for next steps on securing affected devices. As we expect more updates to be made, we recommend reviewing the advisory often for updates.

Tenable customers can utilize plugin ID 72816 to identify devices running Palo Alto Networks PAN-OS.