CVE-2024-9474
published 2024-11-18CVE-2024-9474: A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform…
PriorityP193high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-12-09
Exploited in the wild
EPSS
94.77%
99.8th percentile
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.
Cloud NGFW and Prisma Access are not impacted by this vulnerability.
Affected
49 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | pan-os | >= 10.1.0 < 10.1.14-h6 | 10.1.14-h6 |
| palo_alto_networks | pan-os | >= 10.2.0 < 10.2.12-h2 | 10.2.12-h2 |
| palo_alto_networks | pan-os | >= 11.0.0 < 11.0.6-h1 | 11.0.6-h1 |
| palo_alto_networks | pan-os | >= 11.1.0 < 11.1.5-h1 | 11.1.5-h1 |
| palo_alto_networks | pan-os | >= 11.2.0 < 11.2.4-h1 | 11.2.4-h1 |
| paloalto | cloud_ngfw | — | — |
| paloalto | cortex_xpanse | — | — |
| paloalto | cortex_xsiam | — | — |
| paloalto | globalprotect | — | — |
| paloalto | pan-os | — | — |
| paloalto | panorama | — | — |
| paloalto | prisma_access | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for PHP web shell activity on PAN-OS firewalls; the observed web shell accepts POST parameters 'b' (password check: 'iUqPd') and 'x' (command to execute via system()). Web shell payloads recovered from compromised firewalls were obfuscated. ↗
- →Alert on the specific User-Agent string 'Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv 11.0) like Gecko' in PAN-OS management web interface logs, as it was observed during multiple actor exploit attempts for CVE-2024-0012/CVE-2024-9474. ↗
- →CVE-2024-9474 is chained with CVE-2024-0012 (auth bypass) and CVE-2025-0111 (file read) in active exploit chains targeting PAN-OS management web interfaces. Detect sequential exploitation of these three CVEs together. ↗
- →Post-exploitation activity includes interactive command execution, dropping web shells, open-source C2 tools (e.g., Sliver implants), and crypto miners on compromised PAN-OS firewalls. ↗
- →Wiz observed attackers deploying web shells and Sliver implants on vulnerable PAN-OS appliances just days after PoCs went public following CVE-2024-0012 and CVE-2024-9474 disclosure. ↗
- →A complete and continuously updated list of attacker IP addresses observed scanning/exploiting CVE-2024-0012 and CVE-2024-9474 is maintained at the Unit42-Timely-Threat-Intel GitHub repository. ↗
- ·Cloud NGFW and Prisma Access are not affected by CVE-2024-9474; only on-premises PAN-OS deployments are impacted. ↗
- ·Risk of exploitation is greatly reduced if the PAN-OS management web interface is restricted to trusted internal IP addresses only and not exposed to the internet. ↗
- ·CVE-2024-9474 requires an authenticated PAN-OS administrator session (obtained e.g. via CVE-2024-0012 auth bypass) to exploit; it is a privilege escalation, not a standalone unauthenticated RCE. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Red
vulncheck9.3CRITICAL
cisa6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens RUGGEDCOM APE1808
cisa_ics·2024-12-03·CVSS 9.3
[CRITICAL] Siemens RUGGEDCOM APE1808
ICS Advisory
##
Siemens RUGGEDCOM APE1808
Release DateDecember 03, 2024
Alert CodeICSA-24-338-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: RUGGEDCOM APE1808
- Vulnerabilities: Missing Authentication for Critical Function, NULL Pointer Dereference, Improper Limitation of a Path
CISA
Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
cisa·2024-11-18·CVSS 6.9
CVE-2024-9474 [MEDIUM] CWE-77 Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
Vulnerability: Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
Affected: Palo Alto Networks PAN-OS
Palo Alto Networks PAN-OS contains an OS command injection vulnerability that allows for privilege escalation through the web-based management interface for several PAN products, including firewalls and VPN concentrators.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Additionally, the management interfaces for affected devices should not be exposed to untrusted networks, including the internet.
Notes: https://security.paloaltonetworks.com/CVE-2024-9474 ; https://nvd.nist.gov/vuln/detail/CVE-2024-9474
Remediation Due Date: 2024-12-09
Palo Alto
PAN-SA-2024-0015 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)
vendor_paloalto·2024-11-18·CVSS 9.3
CVE-2024-9474 [CRITICAL] CWE-306 PAN-SA-2024-0015 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)
PAN-SA-2024-0015 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 . The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines . This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software on PA-Series, VM-Series, and CN-Seri
Palo Alto
PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface
vendor_paloalto·CVSS 6.9
CVE-2024-9474 [MEDIUM] CWE-78 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface
PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.
This issue is applicable to PAN-OS 10.1, PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software on PA-Series, VM-Series, and CN-Series firewalls and on Panorama (virtual and M-Series) and WildFire appliances.
Cloud NGFW and Prisma Access are not impacted by this vulnerability.
Affected products: Cloud NGFW, PAN-OS, Prisma Access
Solution: This issue is fixed in PAN-OS 10.1.14-h6, PAN-OS 10.2.12-h2, PAN-OS 11.0.6-h1, PAN-OS 11.1.5-h1, PAN-OS 11.2.4-h1, and all later PAN-OS versions.
In addition
Palo Alto
PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)
vendor_paloalto·CVSS 9.3
CVE-2024-0012 [CRITICAL] CWE-306 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)
PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 (https://security.paloaltonetworks.com/CVE-2024-9474).
The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines (https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management
GHSA
GHSA-mw9x-2qwv-599p: An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface
ghsa_unreviewed·2024-11-18·CVSS 6.9
CVE-2024-0012 [MEDIUM] CWE-306 GHSA-mw9x-2qwv-599p: An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 .
The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue is applicable only to PAN-OS 10.2, PA
GHSA
GHSA-cgvw-jh5j-mgq3: A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface t
ghsa_unreviewed·2024-11-18
CVE-2024-9474 [MEDIUM] CWE-78 GHSA-cgvw-jh5j-mgq3: A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface t
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.
Cloud NGFW and Prisma Access are not impacted by this vulnerability.
VulnCheck
Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
vulncheck·2024·CVSS 9.3
CVE-2024-0012 [CRITICAL] CWE-306 Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
Palo Alto Networks PAN-OS contains an authentication bypass vulnerability in the web-based management interface for several PAN-OS products, including firewalls and VPN concentrators.
Affected: Palo Alto Networks PAN-OS
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Additionally, management interface for affected devices should not be exposed to untrusted networks, including the internet.
Known Ransomware Campaign Use: Known
Exploitation References: https://security.paloaltonetworks.com/CVE-2024-0012; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statist
VulnCheck
Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
vulncheck·2024·CVSS 6.9
CVE-2024-9474 [MEDIUM] CWE-77 Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
Palo Alto Networks PAN-OS contains an OS command injection vulnerability that allows for privilege escalation through the web-based management interface for several PAN products, including firewalls and VPN concentrators.
Affected: Palo Alto Networks PAN-OS
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Additionally, the management interfaces for affected devices should not be exposed to untrusted networks, including the internet.
Known Ransomware Campaign Use: Known
Exploitation References: https://security.paloaltonetworks.com/CVE-2024-9474; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json;
Suricata
ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Command Injection in User Parameter (CVE-2024-9474)
suricata·2024-11-19·CVSS 6.9
CVE-2024-9474 [MEDIUM] ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Command Injection in User Parameter (CVE-2024-9474)
ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Command Injection in User Parameter (CVE-2024-9474)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Command Injection in User Parameter (CVE-2024-9474)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/php/utils/createRemoteAppwebSession.php/"; fast_pattern; http.request_body; content:"user|3d|"; pcre:"/^.*?[\x3b\x0a\x26\x60\x7c\x24]/R"; reference:url,labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/; reference:cve,2024-9474; classtype:web-application-attack; sid:2057706; rev:1; metadata:affected_product Palo_Alto_Networks, attack_target Server, tls_state TLSDecrypt, created_at 2024_11_19, cve CVE_2024_9474, deployment Perimeter, deploymen
Metasploit
Palo Alto Networks PAN-OS Management Interface Unauthenticated Remote Code Execution
metasploit·CVSS 9.3
CVE-2024-0012 [CRITICAL] Palo Alto Networks PAN-OS Management Interface Unauthenticated Remote Code Execution
Palo Alto Networks PAN-OS Management Interface Unauthenticated Remote Code Execution
This module exploits an authentication bypass vulnerability (CVE-2024-0012) and a command injection vulnerability (CVE-2024-9474) in the PAN-OS management web interface. An unauthenticated attacker can execute arbitrary code with root privileges. The following versions are affected: * PAN-OS 11.2 (up to and including 11.2.4-h1) * PAN-OS 11.1 (up to and including 11.1.5-h1) * PAN-OS 11.0 (up to and including 11.0.6-h1) * PAN-OS 10.2 (up to and including 10.2.12-h2)
Nuclei
PAN-OS Management Web Interface - Command Injection
nuclei·CVSS 6.9
CVE-2024-9474 [MEDIUM] PAN-OS Management Web Interface - Command Injection
PAN-OS Management Web Interface - Command Injection
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.
Cloud NGFW and Prisma Access are not impacted by this vulnerability.
Template:
id: CVE-2024-9474
info:
name: PAN-OS Management Web Interface - Command Injection
author: watchTowr,iamnoooob,rootxharsh,pdresearch
severity: high
description: |
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.
Cloud NGFW and Prisma Access are not impacted by this vulnerability.
impact: |
Authenticate
Nuclei
PAN-OS Management Web Interface - Authentication Bypass
nuclei·CVSS 9.3
CVE-2024-0012 [CRITICAL] PAN-OS Management Web Interface - Authentication Bypass
PAN-OS Management Web Interface - Authentication Bypass
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities
Template:
id: CVE-2024-0012
info:
name: PAN-OS Management Web Interface - Authentication Bypass
author: johnk3r,watchtowr
severity: critical
description: |
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
Palo Alto Networks warns of DoS bug letting hackers disable firewalls
blogs_bleepingcomputer·2026-01-15·CVSS 6.6
CVE-2026-0227 [MEDIUM] Palo Alto Networks warns of DoS bug letting hackers disable firewalls
## Palo Alto Networks warns of DoS bug letting hackers disable firewalls
## Sergiu Gatlan
Palo Alto Networks patched a high-severity vulnerability that could allow unauthenticated attackers to disable firewall protections in denial-of-service (DoS) attacks.
Tracked as CVE-2026-0227, this security flaw affects next-generation firewalls (running PAN-OS 10.1 or later) and Palo Alto Networks' Prisma Access configurations when the GlobalProtect gateway or portal is enabled.
The cybersecurity company says that most cloud-based Prisma Access instances have already been patched, with those left to be secured already scheduled for an upgrade.
"A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated a
Bleepingcomputer
GlobalProtect VPN portals probed with 2.3 million scan sessions
blogs_bleepingcomputer·2025-11-20
GlobalProtect VPN portals probed with 2.3 million scan sessions
## GlobalProtect VPN portals probed with 2.3 million scan sessions
## Bill Toulas
Malicious scanning activity targeting Palo Alto Networks GlobalProtect VPN login portals has increased 40 times in 24 hours, indicating a coordinated campaign.
Real-time intelligence company GreyNoise reports that activity began climbing on November 14 and hit its highest level in 90 days within a week.
"GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals," reads the bulletin .
"Beginning on 14 November 2025, activity rapidly intensified, culminating in a 40x surge within 24 hours, marking a new 90-day high."
In early October, GreyNoise reported a 500% increase in IP addresses scanning Palo Alto Networks GlobalProtect and PAN-OS prof
Wiz
Cloud Attack Retrospective: Threats to Watch for in 2025 | Wiz Blog
blogs_wiz·2025-06-18·CVSS 9.3
[CRITICAL] Cloud Attack Retrospective: Threats to Watch for in 2025 | Wiz Blog
Cloud environments are growing more complex—but attackers aren’t necessarily getting more advanced. Instead, they’re applying creativity to familiar weaknesses: misconfigurations, unpatched systems, and credential misuse.
That’s the key theme in Wiz’s newly released Cloud Attack Retrospective: 8 Common Threats to Watch for in 2025, a data-driven analysis of real-world cloud attacks based on detections across thousands of environments. The report maps eight of the most frequently observed MITRE ATT&CK techniques to specific threat campaigns, CVEs, and persistent trends across the cloud ecosystem.
Here’s a preview of what stood out:
Following the disclosure of CVE-2024-0012 and CVE-2024-9474 in PAN-OS, Wiz observed attackers deploying web shells and Sliver implants just days after PoCs we
Wiz
Cloud Attack Retrospective: Threats to Watch for in 2025 | Wiz Blog
blogs_wiz·2025-06-18·CVSS 9.3
[CRITICAL] Cloud Attack Retrospective: Threats to Watch for in 2025 | Wiz Blog
Cloud environments are growing more complex—but attackers aren’t necessarily getting more advanced. Instead, they’re applying creativity to familiar weaknesses: misconfigurations, unpatched systems, and credential misuse.
That’s the key theme in Wiz’s newly released Cloud Attack Retrospective: 8 Common Threats to Watch for in 2025 , a data-driven analysis of real-world cloud attacks based on detections across thousands of environments. The report maps eight of the most frequently observed MITRE ATT&CK techniques to specific threat campaigns, CVEs, and persistent trends across the cloud ecosystem.
Here’s a preview of what stood out:
Following the disclosure of CVE-2024-0012 and CVE-2024-9474 in PAN-OS, Wiz observed attackers deploying web shells and Sliver implants just days after PoCs w
Wiz
Ivanti EPMM RCE Vulnerability Chain Exploited in the Wild | Wiz Blog
blogs_wiz·2025-05-20·CVSS 5.3
CVE-2025-4427 [MEDIUM] Ivanti EPMM RCE Vulnerability Chain Exploited in the Wild | Wiz Blog
Updated on 2025-05-21 at 10:00 (GMT+3) to clarify the relationship between the various IP addresses in the exploitation section, and at 20:00 (GMT+3) to describe additional exploitation methods observed in the wild.
Updated on 2025-05-23 at 20:00 (GMT+3) to fix a mistake in the opening paragraph; we previously stated that the vulnerabilities were published in March rather than May (as noted on NVD, the vulnerabilities were published on May 13th, 2025).
## Introduction
On May 13th, 2025, Ivanti disclosed that Endpoint Manager Mobile (EPMM) is affected by a vulnerability chain combining an authentication bypass (CVE-2025-4427) and a post-authentication remote code execution vulnerability (CVE-2025-4428). These flaws, which stem from unsafe use of Java Expression Language in error messages
Wiz
Crying Out Cloud Newsletter - March 2025 | Wiz
blogs_wiz·2025-03-01·CVSS 9.8
CVE-2025-0108 [CRITICAL] Crying Out Cloud Newsletter - March 2025 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
Hype or no hype – Authentication Bypass Vulnerability in PAN-OS Exploited in-the-Wild
Attackers are actively exploiting CVE-2025-0108, a high-severity authentication bypass vulnerability in Palo Alto Networks PAN-OS firewalls. The flaw allows unauthenticated attackers with network access to invoke PHP scripts and potentially compromise firewall integrity and confidentiality. Researchers at Assetnote disclosed exploitation details, and active attacks have been observed since February 13, 2025.
At first, the value of this vulnerability for attackers was slightly unclear, since it “
Bleepingcomputer
CISA flags Craft CMS code injection flaw as exploited in attacks
blogs_bleepingcomputer·2025-02-21·CVSS 6.9
CVE-2025-23209 [MEDIUM] CISA flags Craft CMS code injection flaw as exploited in attacks
## CISA flags Craft CMS code injection flaw as exploited in attacks
## Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns that a Craft CMS remote code execution flaw is being exploited in attacks.
The flaw is tracked as CVE-2025-23209 and is a high severity (CVSS v3 score: 8.0) code injection (RCE) vulnerability impacting Craft CMS versions 4 and 5.
Craft CMS is a content management system (CMS) used for building websites and custom digital experiences.
Not many technical details about CVE-2025-23209 are available, but exploitation isn't easy, as it requires the installation's security key to have already been compromised.
In Craft CMS, the security key is a cryptographic key that secures user authentication tokens, session cookies, database values, and
Bleepingcomputer
Palo Alto Networks tags new firewall bug as exploited in attacks
blogs_bleepingcomputer·2025-02-19·CVSS 6.9
CVE-2025-0111 [MEDIUM] Palo Alto Networks tags new firewall bug as exploited in attacks
## Palo Alto Networks tags new firewall bug as exploited in attacks
## Bill Toulas
Palo Alto Networks warns that a file read vulnerability (CVE-2025-0111) is now being chained in attacks with two other flaws (CVE-2025-0108 with CVE-2024-9474) to breach PAN-OS firewalls in active attacks.
The vendor first disclosed the authentication bypass vulnerability tracked as CVE-2025-0108 on February 12, 2025, releasing patches to fix the vulnerability. That same day, Assetnote researchers published a proof-of-concept exploit demonstrating how CVE-2025-0108 and CVE-2024-9474 could be chained together to gain root privileges on unpatched PAN-OS firewalls.
A day later, network threat intel firm GreyNoise reported that threat actors had begun actively exploiting the flaws , with attempts coming from
Bleepingcomputer
Hackers exploit authentication bypass in Palo Alto Networks PAN-OS
blogs_bleepingcomputer·2025-02-14·CVSS 8.8
CVE-2025-0108 [HIGH] Hackers exploit authentication bypass in Palo Alto Networks PAN-OS
## Hackers exploit authentication bypass in Palo Alto Networks PAN-OS
## Bill Toulas
Hackers are launching attacks against Palo Alto Networks PAN-OS firewalls by exploiting a recently fixed vulnerability (CVE-2025-0108) that allows bypassing authentication.
The security issue received a high-severity score and impacts the PAN-OS management web interface and allows an unauthenticated attacker on the network to bypass authentication and invoke certain PHP scripts, potentially compromising integrity and confidentiality.
In a security bulletin on February 12, Palo Alto Networks urges admins to upgrade firewalls to the versions below to address the issue:
11.2.4-h4 or later
11.1.6-h1 or later
10.2.13-h3 or later
10.1.14-h9 or later
PAN-OS 11.0 is also impacted but the product reached t
Wiz
Crying Out Cloud - December 2024 Newsletter | Wiz
blogs_wiz·2024-12-12·CVSS 9.3
CVE-2024-0012 [CRITICAL] Crying Out Cloud - December 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities.
Here are our top picks!
🔍 Highlights
RCE Vulnerability in PAN-OS
Palo Alto Networks has confirmed the active exploitation of a critical remote code execution vulnerability chain (CVE-2024-0012, CVE-2024-9474) in the PAN-OS management interface. This vulnerability allows an unauthenticated attacker with network access to the management interface to bypass authentication, obtain administrator privileges, and perform administrative actions. Exploitation has been observed since November 17, 2024.
Learn more in our blog .
🐞 High Profile Vulnerabilities
Critical Vulnerability in Spring WebFlux
A critical vulnerability, CVE-2024-38821, was identifie
Wiz
Wiz Defend: Delivering Cloud-Native Security Operations | Wiz Blog
blogs_wiz·2024-12-05
Wiz Defend: Delivering Cloud-Native Security Operations | Wiz Blog
The need for security operations in the cloud is clear. Compared to traditional environments, cloud environments generate vast amounts of data that’s more accessible than ever before. With simple APIs and centrally managed configuration, SecOps teams operating in the cloud can have access to audit trail covering their entire environment in minutes. In theory, this visibility should give security operations teams (SecOps) an unparalleled ability to detect, investigate, and respond to threats in real-time.
But as any team operating in the cloud knows, this just isn’t the reality today. Huge volumes of data obscure meaningful signals in noise. Modern attackers can seamlessly move through the different layers of the cloud – exploiting vulnerabilities in runtime, gaining access to an identity,
Wiz
Wiz Defend: Delivering Cloud-Native Security Operations | Wiz Blog
blogs_wiz·2024-12-05
Wiz Defend: Delivering Cloud-Native Security Operations | Wiz Blog
The need for security operations in the cloud is clear. Compared to traditional environments, cloud environments generate vast amounts of data that’s more accessible than ever before. With simple APIs and centrally managed configuration, SecOps teams operating in the cloud can have access to audit trail covering their entire environment in minutes. In theory, this visibility should give security operations teams ( SecOps ) an unparalleled ability to detect, investigate, and respond to threats in real-time.
But as any team operating in the cloud knows, this just isn’t the reality today. Huge volumes of data obscure meaningful signals in noise. Modern attackers can seamlessly move through the different layers of the cloud – exploiting vulnerabilities in runtime, gaining access to an identit
Checkpoint
25th November – Threat Intelligence Report
blogs_checkpoint·2024-11-25
CVE-2024-0012 25th November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 25th November – Threat Intelligence Report
The Library of Congress, part of the US Capitol complex and home to the world’s largest media collection, was hacked by a foreign adversary, exposing email communications between Library staff and congressional offices from January to September 2024. The hack, described as sophisticated espionage, sought information on legislative inquiries but did not compromise House or Senate networks or the US Copyright Office.
Giant American gambling and lottery company, Internatio
Unit42
Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 22)
blogs_unit42·2024-11-22·CVSS 9.3
CVE-2024-0012 [CRITICAL] Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 22)
## Executive Summary
Palo Alto Networks and Unit 42 continue to track exploitation activity related to CVE-2024-0012 and CVE-2024-9474. We are working with external researchers, partners and customers to share information transparently and rapidly.
Fixes for both vulnerabilities are available. Please refer to the Palo Alto Networks Security Advisories (CVE-2024-0012, CVE-2024-9474) for additional details about recommended solutions and affected products.
An authentication bypass in Palo Alto Networks PAN-OS software (CVE-2024-0012) enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges. This could allow an adversary to perform administrative actions, tamper with the configuration or exploit other authenticated privileg
Wiz
Wiz observes CVE-2024-0012 and CVE-2024-9474 exploitation | Wiz Blog
blogs_wiz·2024-11-22·CVSS 9.3
CVE-2024-0012 [CRITICAL] Wiz observes CVE-2024-0012 and CVE-2024-9474 exploitation | Wiz Blog
Palo Alto Networks recently disclosed two critical vulnerabilities affecting PAN-OS that were suspected of being exploited in the wild as 0days, and they later confirmed their active exploitation: the first vulnerability is an authentication bypass (CVE-2024-0012) and the second is a privilege escalation vulnerability (CVE-2024-9474).
When chained together, these two vulnerabilities allow unauthenticated remote code execution (RCE) on the PAN-OS management interface. An attacker with network access to the interface can exploit CVE-2024-0012 to bypass authentication and then leverage CVE-2024-9474 to escalate privileges, ultimately gaining administrator access and performing arbitrary administrative actions. Exploitation has been observed in the wild by Palo Alto and other organizations tr
Unit42
Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 22)
blogs_unit42·2024-11-22·CVSS 9.3
CVE-2024-0012 [CRITICAL] Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 22)
## Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 22)
Unit 42
Published: November 22, 2024
High Profile Threats
Vulnerabilities
CVE-2024-0012
CVE-2024-9474
Operation Lunar Peek
PAN-OS
## Executive Summary
Palo Alto Networks and Unit 42 continue to track exploitation activity related to CVE-2024-0012 and CVE-2024-9474. We are working with external researchers, partners and customers to share information transparently and rapidly.
Fixes for both vulnerabilities are available . Please refer to the Palo Alto Networks Security Advisories ( CVE-2024-0012 , CVE-2024-9474 ) for additional details about recommended solutions and affected products.
An authentication bypass in Palo Alto Networks PAN-OS software ( CVE-2024-0012 ) en
Wiz
Wiz observes CVE-2024-0012 and CVE-2024-9474 exploitation | Wiz Blog
blogs_wiz·2024-11-22·CVSS 9.3
CVE-2024-0012 [CRITICAL] Wiz observes CVE-2024-0012 and CVE-2024-9474 exploitation | Wiz Blog
Palo Alto Networks recently disclosed two critical vulnerabilities affecting PAN-OS that were suspected of being exploited in the wild as 0days, and they later confirmed their active exploitation: the first vulnerability is an authentication bypass (CVE-2024-0012) and the second is a privilege escalation vulnerability (CVE-2024-9474).
When chained together, these two vulnerabilities allow unauthenticated remote code execution (RCE) on the PAN-OS management interface. An attacker with network access to the interface can exploit CVE-2024-0012 to bypass authentication and then leverage CVE-2024-9474 to escalate privileges, ultimately gaining administrator access and performing arbitrary administrative actions. Exploitation has been observed in the wild by Palo Alto and other organizations tr
Bleepingcomputer
Over 2,000 Palo Alto firewalls hacked using recently patched bugs
blogs_bleepingcomputer·2024-11-21·CVSS 9.3
CVE-2024-0012 [CRITICAL] Over 2,000 Palo Alto firewalls hacked using recently patched bugs
## Over 2,000 Palo Alto firewalls hacked using recently patched bugs
## Sergiu Gatlan
Hackers have already compromised thousands of Palo Alto Networks firewalls in attacks exploiting two recently patched zero-day vulnerabilities.
The two security flaws are an authentication bypass ( CVE-2024-0012 ) in the PAN-OS management web interface that remote attackers can exploit to gain administrator privileges and a PAN-OS privilege escalation ( CVE-2024-9474 ) that helps them run commands on the firewall with root privileges.
While CVE-2024-9474 was disclosed this Monday, the company first warned customers on November 8 to restrict access to their next-generation firewalls because of a potential RCE flaw (which was tagged last Friday as CVE-2024-0012 ).
Palo Alto Networks is still investigat
Bleepingcomputer
CISA tags Progress Kemp LoadMaster flaw as exploited in attacks
blogs_bleepingcomputer·2024-11-19·CVSS 9.3
CVE-2024-1212 [CRITICAL] CISA tags Progress Kemp LoadMaster flaw as exploited in attacks
## CISA tags Progress Kemp LoadMaster flaw as exploited in attacks
## Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three new flaws in its Known Exploited Vulnerabilities (KEV) catalog, including a critical OS command injection impacting Progress Kemp LoadMaster.
The flaw, discovered by Rhino Security Labs and tracked as CVE-2024-1212, was addressed via an update released on February 21, 2024 . However, this is the first report of it being under active exploitation in the wild.
“Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution,” reads the flaw’s description .
CVE-2024-
Tenable
CVE-2024-0012, CVE-2024-9474: Zero-Day Vulnerabilities in Palo Alto PAN-OS Exploited In The Wild
blogs_tenable·2024-11-18·CVSS 9.3
[CRITICAL] CVE-2024-0012, CVE-2024-9474: Zero-Day Vulnerabilities in Palo Alto PAN-OS Exploited In The Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Palo Alto Networks patches two firewall zero-days used in attacks
blogs_bleepingcomputer·2024-11-18·CVSS 9.3
CVE-2024-0012 [CRITICAL] Palo Alto Networks patches two firewall zero-days used in attacks
## Palo Alto Networks patches two firewall zero-days used in attacks
## Sergiu Gatlan
Palo Alto Networks has finally released security updates for two actively exploited zero-day vulnerabilities in its Next-Generation Firewalls (NGFW).
The first flaw, tracked as CVE-2024-0012 , is an authentication bypass found in the PAN-OS management web interface that remote attackers can exploit to gain administrator privileges without requiring authentication or user interaction.
The second one ( CVE-2024-9474 ) is a PAN-OS privilege escalation security flaw that allows malicious PAN-OS administrators to perform actions on the firewall with root privileges.
While CVE-2024-9474 was disclosed today, the company first warned customers on November 8 to restrict access to their next-generation firewal
Greynoiseio
NoiseLetter November 2024
blogs_greynoiseio
NoiseLetter November 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://security.paloaltonetworks.com/CVE-2024-9474https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/https://github.com/k4nfr3/CVE-2024-9474https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-9474
2024-11-18
Published
2024-11-18
Added to CISA KEV
Exploited in the wild