CVE-2024-0012
published 2024-11-18CVE-2024-0012: An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-12-09
Exploited in the wild
EPSS
99.70%
100.0th percentile
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 .
The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software.
Cloud NGFW and Prisma Access are not impacted by this vulnerability.
Affected
42 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | pan-os | >= 10.2.0 < 10.2.12-h2 | 10.2.12-h2 |
| palo_alto_networks | pan-os | >= 11.0.0 < 11.0.6-h1 | 11.0.6-h1 |
| palo_alto_networks | pan-os | >= 11.1.0 < 11.1.5-h1 | 11.1.5-h1 |
| palo_alto_networks | pan-os | >= 11.2.0 < 11.2.4-h1 | 11.2.4-h1 |
| paloalto | cloud_ngfw | — | — |
| paloalto | cortex_xpanse | — | — |
| paloalto | cortex_xsiam | — | — |
| paloalto | globalprotect | — | — |
| paloalto | pan-os | — | — |
| paloalto | panorama | — | — |
| paloalto | prisma_access | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for web shell files dropped under /var/appweb/htdocs/unauth/ with 4–6 random character filenames on PAN-OS devices, indicating post-exploitation activity. ↗
- →Alert on HTTP requests to the PAN-OS management web interface bearing the user-agent string 'Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv 11.0) like Gecko', which was observed during multiple actor exploit attempts. ↗
- →Hunt for interactive command execution and dropped malware (web shells, Sliver implants, crypto miners) on PAN-OS firewalls as post-exploitation indicators of CVE-2024-0012 chained with CVE-2024-9474. ↗
- →Scan for DaggerFly Linux implant activity embedding itself in crond, sshd, and netstat binaries on compromised PAN-OS hosts. ↗
- →Check for the PHP web shell POST parameter 'b' with value 'iUqPd' in web server logs on PAN-OS devices as a specific indicator of the observed web shell payload. ↗
- →A more complete and continuously updated list of attacker IP addresses is available at the Unit42-Timely-Threat-Intel GitHub repository for blocking and detection. ↗
- →Detect use of Toshiba executable (toshdpdb.exe) and malicious DLL (toshdpapi.dll) via DLL sideloading to deploy PlugX/Korplug backdoor in attacks attributed to Emperor Dragonfly exploiting CVE-2024-0012. ↗
- ·CVE-2024-0012 only affects PAN-OS 10.2, 11.0, 11.1, and 11.2; Cloud NGFW and Prisma Access are not impacted. ↗
- ·7% of cloud environments with vulnerable PAN-OS appliances had the management interface internet-facing and exploitable to unauthenticated RCE; the remaining 93% required network access to the management interface. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Red
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens RUGGEDCOM APE1808
cisa_ics·2024-12-03·CVSS 9.3
[CRITICAL] Siemens RUGGEDCOM APE1808
ICS Advisory
##
Siemens RUGGEDCOM APE1808
Release DateDecember 03, 2024
Alert CodeICSA-24-338-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: RUGGEDCOM APE1808
- Vulnerabilities: Missing Authentication for Critical Function, NULL Pointer Dereference, Improper Limitation of a Path
Palo Alto
PAN-SA-2024-0015 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)
vendor_paloalto·2024-11-18·CVSS 9.3
CVE-2024-9474 [CRITICAL] CWE-306 PAN-SA-2024-0015 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)
PAN-SA-2024-0015 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 . The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines . This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software on PA-Series, VM-Series, and CN-Seri
CISA
Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
cisa·2024-11-18·CVSS 9.3
CVE-2024-0012 [CRITICAL] CWE-306 Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
Vulnerability: Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
Affected: Palo Alto Networks PAN-OS
Palo Alto Networks PAN-OS contains an authentication bypass vulnerability in the web-based management interface for several PAN-OS products, including firewalls and VPN concentrators.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Additionally, management interface for affected devices should not be exposed to untrusted networks, including the internet.
Notes: https://security.paloaltonetworks.com/CVE-2024-0012 ; https://nvd.nist.gov/vuln/detail/CVE-2024-0012
Remediation Due Date: 2024-12-09
Palo Alto
PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)
vendor_paloalto·CVSS 9.3
CVE-2024-0012 [CRITICAL] CWE-306 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)
PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 (https://security.paloaltonetworks.com/CVE-2024-9474).
The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines (https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management
GHSA
GHSA-mw9x-2qwv-599p: An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface
ghsa_unreviewed·2024-11-18·CVSS 6.9
CVE-2024-0012 [MEDIUM] CWE-306 GHSA-mw9x-2qwv-599p: An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 .
The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue is applicable only to PAN-OS 10.2, PA
VulnCheck
Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
vulncheck·2024·CVSS 9.3
CVE-2024-0012 [CRITICAL] CWE-306 Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
Palo Alto Networks PAN-OS contains an authentication bypass vulnerability in the web-based management interface for several PAN-OS products, including firewalls and VPN concentrators.
Affected: Palo Alto Networks PAN-OS
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Additionally, management interface for affected devices should not be exposed to untrusted networks, including the internet.
Known Ransomware Campaign Use: Known
Exploitation References: https://security.paloaltonetworks.com/CVE-2024-0012; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statist
VulnCheck
Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
vulncheck·2024·CVSS 6.9
CVE-2024-9474 [MEDIUM] CWE-77 Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
Palo Alto Networks PAN-OS contains an OS command injection vulnerability that allows for privilege escalation through the web-based management interface for several PAN products, including firewalls and VPN concentrators.
Affected: Palo Alto Networks PAN-OS
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Additionally, the management interfaces for affected devices should not be exposed to untrusted networks, including the internet.
Known Ransomware Campaign Use: Known
Exploitation References: https://security.paloaltonetworks.com/CVE-2024-9474; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json;
Suricata
ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Command Injection in User Parameter (CVE-2024-9474)
suricata·2024-11-19·CVSS 6.9
CVE-2024-9474 [MEDIUM] ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Command Injection in User Parameter (CVE-2024-9474)
ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Command Injection in User Parameter (CVE-2024-9474)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Command Injection in User Parameter (CVE-2024-9474)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/php/utils/createRemoteAppwebSession.php/"; fast_pattern; http.request_body; content:"user|3d|"; pcre:"/^.*?[\x3b\x0a\x26\x60\x7c\x24]/R"; reference:url,labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/; reference:cve,2024-9474; classtype:web-application-attack; sid:2057706; rev:1; metadata:affected_product Palo_Alto_Networks, attack_target Server, tls_state TLSDecrypt, created_at 2024_11_19, cve CVE_2024_9474, deployment Perimeter, deploymen
Suricata
ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Authentication Bypass (CVE-2024-0012)
suricata·2024-11-19·CVSS 9.3
CVE-2024-0012 [CRITICAL] ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Authentication Bypass (CVE-2024-0012)
ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Authentication Bypass (CVE-2024-0012)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Authentication Bypass (CVE-2024-0012)"; flow:established,to_server; http.header; to_lowercase; content:"x-pan-authcheck|3a 20|off"; fast_pattern; reference:cve,2024-0012; classtype:attempted-admin; sid:2057705; rev:1; metadata:affected_product Palo_Alto_Networks, created_at 2024_11_19, cve CVE_2024_0012, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application
Suricata
GPL SNMP public access tcp
suricata·2010-09-23
CVE-1999-0517 GPL SNMP public access tcp
GPL SNMP public access tcp
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access tcp"; flow:established,to_server; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101412; rev:15; metadata:created_at 2010_09_23, cve CVE_1999_0517, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Metasploit
Palo Alto Networks PAN-OS Management Interface Unauthenticated Remote Code Execution
metasploit·CVSS 9.3
CVE-2024-0012 [CRITICAL] Palo Alto Networks PAN-OS Management Interface Unauthenticated Remote Code Execution
Palo Alto Networks PAN-OS Management Interface Unauthenticated Remote Code Execution
This module exploits an authentication bypass vulnerability (CVE-2024-0012) and a command injection vulnerability (CVE-2024-9474) in the PAN-OS management web interface. An unauthenticated attacker can execute arbitrary code with root privileges. The following versions are affected: * PAN-OS 11.2 (up to and including 11.2.4-h1) * PAN-OS 11.1 (up to and including 11.1.5-h1) * PAN-OS 11.0 (up to and including 11.0.6-h1) * PAN-OS 10.2 (up to and including 10.2.12-h2)
Nuclei
PAN-OS Management Web Interface - Authentication Bypass
nuclei·CVSS 9.3
CVE-2024-0012 [CRITICAL] PAN-OS Management Web Interface - Authentication Bypass
PAN-OS Management Web Interface - Authentication Bypass
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities
Template:
id: CVE-2024-0012
info:
name: PAN-OS Management Web Interface - Authentication Bypass
author: johnk3r,watchtowr
severity: critical
description: |
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Wiz
Cloud Attack Retrospective: Threats to Watch for in 2025 | Wiz Blog
blogs_wiz·2025-06-18·CVSS 9.3
[CRITICAL] Cloud Attack Retrospective: Threats to Watch for in 2025 | Wiz Blog
Cloud environments are growing more complex—but attackers aren’t necessarily getting more advanced. Instead, they’re applying creativity to familiar weaknesses: misconfigurations, unpatched systems, and credential misuse.
That’s the key theme in Wiz’s newly released Cloud Attack Retrospective: 8 Common Threats to Watch for in 2025, a data-driven analysis of real-world cloud attacks based on detections across thousands of environments. The report maps eight of the most frequently observed MITRE ATT&CK techniques to specific threat campaigns, CVEs, and persistent trends across the cloud ecosystem.
Here’s a preview of what stood out:
Following the disclosure of CVE-2024-0012 and CVE-2024-9474 in PAN-OS, Wiz observed attackers deploying web shells and Sliver implants just days after PoCs we
Wiz
Cloud Attack Retrospective: Threats to Watch for in 2025 | Wiz Blog
blogs_wiz·2025-06-18·CVSS 9.3
[CRITICAL] Cloud Attack Retrospective: Threats to Watch for in 2025 | Wiz Blog
Cloud environments are growing more complex—but attackers aren’t necessarily getting more advanced. Instead, they’re applying creativity to familiar weaknesses: misconfigurations, unpatched systems, and credential misuse.
That’s the key theme in Wiz’s newly released Cloud Attack Retrospective: 8 Common Threats to Watch for in 2025 , a data-driven analysis of real-world cloud attacks based on detections across thousands of environments. The report maps eight of the most frequently observed MITRE ATT&CK techniques to specific threat campaigns, CVEs, and persistent trends across the cloud ecosystem.
Here’s a preview of what stood out:
Following the disclosure of CVE-2024-0012 and CVE-2024-9474 in PAN-OS, Wiz observed attackers deploying web shells and Sliver implants just days after PoCs w
Wiz
Ivanti EPMM RCE Vulnerability Chain Exploited in the Wild | Wiz Blog
blogs_wiz·2025-05-20·CVSS 5.3
CVE-2025-4427 [MEDIUM] Ivanti EPMM RCE Vulnerability Chain Exploited in the Wild | Wiz Blog
Updated on 2025-05-21 at 10:00 (GMT+3) to clarify the relationship between the various IP addresses in the exploitation section, and at 20:00 (GMT+3) to describe additional exploitation methods observed in the wild.
Updated on 2025-05-23 at 20:00 (GMT+3) to fix a mistake in the opening paragraph; we previously stated that the vulnerabilities were published in March rather than May (as noted on NVD, the vulnerabilities were published on May 13th, 2025).
## Introduction
On May 13th, 2025, Ivanti disclosed that Endpoint Manager Mobile (EPMM) is affected by a vulnerability chain combining an authentication bypass (CVE-2025-4427) and a post-authentication remote code execution vulnerability (CVE-2025-4428). These flaws, which stem from unsafe use of Java Expression Language in error messages
Bleepingcomputer
Chinese espionage tools deployed in RA World ransomware attack
blogs_bleepingcomputer·2025-02-13
Chinese espionage tools deployed in RA World ransomware attack
## Chinese espionage tools deployed in RA World ransomware attack
## Bill Toulas
A China-based threat actor, tracked as Emperor Dragonfly and commonly associated with cybercriminal endeavors, has been observed using in a ransomware attack a toolset previously attributed to espionage actors.
The hackers deployed the RA World ransomware against an Asian software and services company and demanded an initial ransom payment of $2 million.
Researchers from Symantec’s Threat Hunter Team observed the activity in late 2024 and highlight a potential overlap between state-backed cyber espionage actors and financially motivated cybercrime groups.
“During the attack in late 2024, the attacker deployed a distinct toolset that had previously been used by a China-linked actor in classic espionage att
Wiz
Crying Out Cloud - December 2024 Newsletter | Wiz
blogs_wiz·2024-12-12·CVSS 9.3
CVE-2024-0012 [CRITICAL] Crying Out Cloud - December 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities.
Here are our top picks!
🔍 Highlights
RCE Vulnerability in PAN-OS
Palo Alto Networks has confirmed the active exploitation of a critical remote code execution vulnerability chain (CVE-2024-0012, CVE-2024-9474) in the PAN-OS management interface. This vulnerability allows an unauthenticated attacker with network access to the management interface to bypass authentication, obtain administrator privileges, and perform administrative actions. Exploitation has been observed since November 17, 2024.
Learn more in our blog .
🐞 High Profile Vulnerabilities
Critical Vulnerability in Spring WebFlux
A critical vulnerability, CVE-2024-38821, was identifie
Wiz
Wiz Defend: Delivering Cloud-Native Security Operations | Wiz Blog
blogs_wiz·2024-12-05
Wiz Defend: Delivering Cloud-Native Security Operations | Wiz Blog
The need for security operations in the cloud is clear. Compared to traditional environments, cloud environments generate vast amounts of data that’s more accessible than ever before. With simple APIs and centrally managed configuration, SecOps teams operating in the cloud can have access to audit trail covering their entire environment in minutes. In theory, this visibility should give security operations teams (SecOps) an unparalleled ability to detect, investigate, and respond to threats in real-time.
But as any team operating in the cloud knows, this just isn’t the reality today. Huge volumes of data obscure meaningful signals in noise. Modern attackers can seamlessly move through the different layers of the cloud – exploiting vulnerabilities in runtime, gaining access to an identity,
Wiz
Wiz Defend: Delivering Cloud-Native Security Operations | Wiz Blog
blogs_wiz·2024-12-05
Wiz Defend: Delivering Cloud-Native Security Operations | Wiz Blog
The need for security operations in the cloud is clear. Compared to traditional environments, cloud environments generate vast amounts of data that’s more accessible than ever before. With simple APIs and centrally managed configuration, SecOps teams operating in the cloud can have access to audit trail covering their entire environment in minutes. In theory, this visibility should give security operations teams ( SecOps ) an unparalleled ability to detect, investigate, and respond to threats in real-time.
But as any team operating in the cloud knows, this just isn’t the reality today. Huge volumes of data obscure meaningful signals in noise. Modern attackers can seamlessly move through the different layers of the cloud – exploiting vulnerabilities in runtime, gaining access to an identit
Checkpoint
25th November – Threat Intelligence Report
blogs_checkpoint·2024-11-25
CVE-2024-0012 25th November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 25th November – Threat Intelligence Report
The Library of Congress, part of the US Capitol complex and home to the world’s largest media collection, was hacked by a foreign adversary, exposing email communications between Library staff and congressional offices from January to September 2024. The hack, described as sophisticated espionage, sought information on legislative inquiries but did not compromise House or Senate networks or the US Copyright Office.
Giant American gambling and lottery company, Internatio
Unit42
Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 22)
blogs_unit42·2024-11-22·CVSS 9.3
CVE-2024-0012 [CRITICAL] Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 22)
## Executive Summary
Palo Alto Networks and Unit 42 continue to track exploitation activity related to CVE-2024-0012 and CVE-2024-9474. We are working with external researchers, partners and customers to share information transparently and rapidly.
Fixes for both vulnerabilities are available. Please refer to the Palo Alto Networks Security Advisories (CVE-2024-0012, CVE-2024-9474) for additional details about recommended solutions and affected products.
An authentication bypass in Palo Alto Networks PAN-OS software (CVE-2024-0012) enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges. This could allow an adversary to perform administrative actions, tamper with the configuration or exploit other authenticated privileg
Wiz
Wiz observes CVE-2024-0012 and CVE-2024-9474 exploitation | Wiz Blog
blogs_wiz·2024-11-22·CVSS 9.3
CVE-2024-0012 [CRITICAL] Wiz observes CVE-2024-0012 and CVE-2024-9474 exploitation | Wiz Blog
Palo Alto Networks recently disclosed two critical vulnerabilities affecting PAN-OS that were suspected of being exploited in the wild as 0days, and they later confirmed their active exploitation: the first vulnerability is an authentication bypass (CVE-2024-0012) and the second is a privilege escalation vulnerability (CVE-2024-9474).
When chained together, these two vulnerabilities allow unauthenticated remote code execution (RCE) on the PAN-OS management interface. An attacker with network access to the interface can exploit CVE-2024-0012 to bypass authentication and then leverage CVE-2024-9474 to escalate privileges, ultimately gaining administrator access and performing arbitrary administrative actions. Exploitation has been observed in the wild by Palo Alto and other organizations tr
Unit42
Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 22)
blogs_unit42·2024-11-22·CVSS 9.3
CVE-2024-0012 [CRITICAL] Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 22)
## Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 22)
Unit 42
Published: November 22, 2024
High Profile Threats
Vulnerabilities
CVE-2024-0012
CVE-2024-9474
Operation Lunar Peek
PAN-OS
## Executive Summary
Palo Alto Networks and Unit 42 continue to track exploitation activity related to CVE-2024-0012 and CVE-2024-9474. We are working with external researchers, partners and customers to share information transparently and rapidly.
Fixes for both vulnerabilities are available . Please refer to the Palo Alto Networks Security Advisories ( CVE-2024-0012 , CVE-2024-9474 ) for additional details about recommended solutions and affected products.
An authentication bypass in Palo Alto Networks PAN-OS software ( CVE-2024-0012 ) en
Wiz
Wiz observes CVE-2024-0012 and CVE-2024-9474 exploitation | Wiz Blog
blogs_wiz·2024-11-22·CVSS 9.3
CVE-2024-0012 [CRITICAL] Wiz observes CVE-2024-0012 and CVE-2024-9474 exploitation | Wiz Blog
Palo Alto Networks recently disclosed two critical vulnerabilities affecting PAN-OS that were suspected of being exploited in the wild as 0days, and they later confirmed their active exploitation: the first vulnerability is an authentication bypass (CVE-2024-0012) and the second is a privilege escalation vulnerability (CVE-2024-9474).
When chained together, these two vulnerabilities allow unauthenticated remote code execution (RCE) on the PAN-OS management interface. An attacker with network access to the interface can exploit CVE-2024-0012 to bypass authentication and then leverage CVE-2024-9474 to escalate privileges, ultimately gaining administrator access and performing arbitrary administrative actions. Exploitation has been observed in the wild by Palo Alto and other organizations tr
Bleepingcomputer
Over 2,000 Palo Alto firewalls hacked using recently patched bugs
blogs_bleepingcomputer·2024-11-21·CVSS 9.3
CVE-2024-0012 [CRITICAL] Over 2,000 Palo Alto firewalls hacked using recently patched bugs
## Over 2,000 Palo Alto firewalls hacked using recently patched bugs
## Sergiu Gatlan
Hackers have already compromised thousands of Palo Alto Networks firewalls in attacks exploiting two recently patched zero-day vulnerabilities.
The two security flaws are an authentication bypass ( CVE-2024-0012 ) in the PAN-OS management web interface that remote attackers can exploit to gain administrator privileges and a PAN-OS privilege escalation ( CVE-2024-9474 ) that helps them run commands on the firewall with root privileges.
While CVE-2024-9474 was disclosed this Monday, the company first warned customers on November 8 to restrict access to their next-generation firewalls because of a potential RCE flaw (which was tagged last Friday as CVE-2024-0012 ).
Palo Alto Networks is still investigat
Bleepingcomputer
CISA tags Progress Kemp LoadMaster flaw as exploited in attacks
blogs_bleepingcomputer·2024-11-19·CVSS 9.3
CVE-2024-1212 [CRITICAL] CISA tags Progress Kemp LoadMaster flaw as exploited in attacks
## CISA tags Progress Kemp LoadMaster flaw as exploited in attacks
## Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three new flaws in its Known Exploited Vulnerabilities (KEV) catalog, including a critical OS command injection impacting Progress Kemp LoadMaster.
The flaw, discovered by Rhino Security Labs and tracked as CVE-2024-1212, was addressed via an update released on February 21, 2024 . However, this is the first report of it being under active exploitation in the wild.
“Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution,” reads the flaw’s description .
CVE-2024-
Tenable
CVE-2024-0012, CVE-2024-9474: Zero-Day Vulnerabilities in Palo Alto PAN-OS Exploited In The Wild
blogs_tenable·2024-11-18·CVSS 9.3
[CRITICAL] CVE-2024-0012, CVE-2024-9474: Zero-Day Vulnerabilities in Palo Alto PAN-OS Exploited In The Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Palo Alto Networks patches two firewall zero-days used in attacks
blogs_bleepingcomputer·2024-11-18·CVSS 9.3
CVE-2024-0012 [CRITICAL] Palo Alto Networks patches two firewall zero-days used in attacks
## Palo Alto Networks patches two firewall zero-days used in attacks
## Sergiu Gatlan
Palo Alto Networks has finally released security updates for two actively exploited zero-day vulnerabilities in its Next-Generation Firewalls (NGFW).
The first flaw, tracked as CVE-2024-0012 , is an authentication bypass found in the PAN-OS management web interface that remote attackers can exploit to gain administrator privileges without requiring authentication or user interaction.
The second one ( CVE-2024-9474 ) is a PAN-OS privilege escalation security flaw that allows malicious PAN-OS administrators to perform actions on the firewall with root privileges.
While CVE-2024-9474 was disclosed today, the company first warned customers on November 8 to restrict access to their next-generation firewal
Bleepingcomputer
Palo Alto Networks warns of critical RCE zero-day exploited in attacks
blogs_bleepingcomputer·2024-11-15·CVSS 9.3
CVE-2024-0012 [CRITICAL] Palo Alto Networks warns of critical RCE zero-day exploited in attacks
## Palo Alto Networks warns of critical RCE zero-day exploited in attacks
## Bill Toulas
Palo Alto Networks is warning that a critical zero-day vulnerability on Next-Generation Firewalls (NGFW) management interfaces, currently tracked as 'PAN-SA-2024-0015,' is actively being exploited in attacks.
Update 11/18 - Palo Alto Networks released a new advisory about this issue and assigned it the identifier CVE-2024-0012.
The flaw was originally disclosed on November 8, 2024, with Palo Alto Networks warning customers to restrict access to their next-generation firewalls because of a "potential" remote code execution (RCE) vulnerability impacting them.
No signs of exploitation were detected at that time, but now, one week later, the situation has changed.
"Palo Alto Networks has observed thr
Greynoiseio
NoiseLetter November 2024
blogs_greynoiseio
NoiseLetter November 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://security.paloaltonetworks.com/CVE-2024-0012https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-0012
2024-11-18
Published
2024-11-18
Added to CISA KEV
Exploited in the wild