Summary:
On November 8, 2024, Palo Alto Networks issued a bulletin regarding a potential unauthenticated remote command execution vulnerability affecting firewall management interfaces. Although no specific indicators of compromise have been identified, the firm advises customers to secure their interfaces and monitor for suspicious activity.
Keypoints:
Palo Alto Networks published a bulletin (PAN-SA-2024-0015) on November 8, 2024, regarding firewall management interfaces.
Rumors of a possible zero-day vulnerability are being monitored by Rapid7 threat intelligence teams.
On November 14, PAN updated their advisory, confirming observed threat activity exploiting the vulnerability.
As of November 15, no CVE or fix is available for the identified issue.
Risk of exploitation is limited if access to the management interface is restricted.
No specific indicators of compromise (IOCs) are currently available.
PAN advises monitoring for suspicious activity if the management interface is exposed to the internet.
Prisma Access and Cloud NGFW are believed not to be affected.
Customers should follow PAN’s best practice deployment guidelines to restrict access to trusted internal IPs only.
Further guidance is available in the Palo Alto Networks advisory.
MITRE Techniques
Remote Command Execution (T1203): Exploits vulnerabilities in software to execute commands remotely.
IoC:
Full Research: https://blog.rapid7.com/2024/11/15/etr-zero-day-exploitation-targeting-palo-alto-networks-firewall-management-interfaces/