Cybercriminals have been observed deploying malware and executing commands on compromised devices, indicating active exploitation of the vulnerabilities.

The initial exploitation of CVE-2024-0012 has been named 'Operation Lunar Peek', primarily targeting device management interfaces from IP addresses associated with anonymous VPN services.

To mitigate risks, Palo Alto Networks recommends restricting access to the management interface to trusted internal IP addresses and applying the latest security fixes immediately.

CVE-2024-9474 allows for privilege escalation, enabling an administrator with web interface access to perform actions with root privileges.

The most affected devices are primarily located in the United States, followed by India, Mexico, Thailand, and Indonesia.

Palo Alto Networks and its Unit 42 threat intelligence team are actively monitoring exploitation activities and collaborating with external researchers to share information.

Both vulnerabilities have been added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities catalog, mandating federal agencies to patch their systems by December 9, 2024.

Thousands of Palo Alto Networks firewalls have been compromised due to the exploitation of two recently patched zero-day vulnerabilities, CVE-2024-0012 and CVE-2024-9474.

Unit 42 reports a moderate to high confidence that a functional exploit chaining the two vulnerabilities is now publicly available, likely leading to increased threat activity.

The vulnerabilities were flagged by Palo Alto Networks about ten days prior to the public announcement, underscoring the need for securing firewall management interfaces exposed to the internet.

Security operations company Arctic Wolf reported seeing attacks against customer environments starting November 19, 2024, following the exploitation of the vulnerabilities.

Many administrators responded quickly on November 21, 2024, by removing or updating vulnerable devices, resulting in a significant reduction in the number of compromised devices.