Attackers Target PAN-OS Zero Day

UPDATE—Palo Alto Networks is warning customers that attackers are exploiting yet another bug in ones its products, this time in the management interface in its PAN-OS software, and there is not a fix available at this time. The company is tracking the exploit activity under the name Operation Lunar Peek.

Pao Alto first disclosed the vulnerability on Nov. 8 with limited details, but on Friday PAN updated the advisory to say that it has detected exploitation of the bug. The vulnerability itself is an unauthenticated remote code execution flaw in PAN-OS, and PAN said the exploitation activity is targeting Next Generation Firewalls specifically. 

“Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet. We are actively investigating this activity,” the advisory says.

“We strongly recommend customers ensure access to your management interface is configured correctly in accordance with our recommended best practice deployment guidelines. At this time we believe devices whose access to the Management Interface is not secured as per our recommended best practice deployment guidelines are at increased risk.”

Palo Alto released a fix for the bug (CVE-2024- on Monday, and any customers who have the management interface exposed to the Internet are at risk of exploitation. In the event that an organization can’t deploy the fix right away, PAN recommends that customers restrict access to the management interface to trusted internal IP addresses. 

As of Thursday, the Shadowserver Foundation found more than 8,700 PAN-OS devices worldwide with the management interface exposed to the Internet. 

Edge security devices are highly favored targets for cybercrime actors as well APT teams looking for a privileged foothold in enterprise networks. A new report from CISA this week included several flaws in edge security devices among the 15 most commonly exploited vulnerabilities worldwide last year. 

This story was updated on Nov. 18 to include the CVE and information about the patch.