CVE-2024-9474 allows privilege escalation, enabling an administrator with web interface access to execute actions with root privileges.

Palo Alto Networks first alerted customers about these vulnerabilities on November 8, 2024, advising them to restrict access to their firewalls.

Following the discovery, Palo Alto released patches for the vulnerabilities and urged immediate installation, with the Cybersecurity and Infrastructure Security Agency (CISA) including them in its Known Exploited Vulnerabilities catalog.

Customers are advised to monitor their networks for suspicious activity and to take affected devices offline if compromise is suspected.

Palo Alto Networks and its Unit 42 threat intelligence team are actively tracking exploitation activity and collaborating with external researchers to share information.

The company has assessed that a functional exploit chaining both vulnerabilities is likely available, raising concerns about increased threat activity.

Palo Alto Networks has observed that the vulnerabilities primarily affect internet-exposed device management interfaces.

Exploitation attempts have led to the deployment of web shells on compromised devices, providing attackers with persistent remote access.

CVE-2024-9474 was disclosed on November 18, 2024, highlighting the urgency for organizations to secure their firewall management interfaces.

Publicly available technical details and proof-of-concept code have increased the likelihood of further attacks, according to security analysts.

Palo Alto Networks has reported that thousands of its firewalls have been compromised due to the exploitation of two recently patched zero-day vulnerabilities, CVE-2024-0012 and CVE-2024-9474.

The majority of affected devices are located in the United States and India, with additional vulnerabilities reported in Thailand, Mexico, and the U.K.