Malicious hackers have compromised potentially thousands of organizations by exploiting two new zero-day vulnerabilities found in widely used software made by cybersecurity giant Palo Alto Networks.
Security researchers at Palo Alto Networks said Wednesday that they have observed a “limited set of exploitation activity” related to the two vulnerabilities in PAN-OS, the operating system that runs on all of Palo Alto’s next-generation firewalls. The bugs are considered zero-days because the company had no time to release patches before the bugs were exploited.
The company said it has observed exploitation of the two bugs, including CVE-2024-0012, which allows an attacker with network access to the management web interface to gain administrator privileges, while the second bug, tracked as CVE-2024-9474, allows an attacker to perform actions on the compromised firewall with higher root privileges.
When these vulnerabilities are used together, an attacker can remotely plant malicious code on affected firewalls with the highest possible privileges, allowing for deeper access to a company’s network.
Palo Alto Networks says attackers are now using their own functional exploit chaining the two flaws together to target a “limited number of device management web interfaces” exposed to the internet.
According to the Shadowserver Foundation, a nonprofit organization that scans and monitors the internet for vulnerability exploitation, hackers have already compromised more than 2,000 affected Palo Alto Networks firewalls by leveraging the two recently patched flaws. The non-profit found that the highest number of compromised devices were located in the United States, followed by India, with hackers also exploiting firewalls across the United Kingdom, Australia, and China.
Palo Alto Networks declined to confirm how many firewalls had been compromised when asked by TechCrunch.
U.S. cybersecurity company Arctic Wolf said this week that its researchers also observed hackers exploiting the two Palo Alto firewall vulnerabilities as early as November 19 to break into customer networks, following the release of a proof-of-concept exploit.
“Upon successful exploitation, we have observed threat actors attempting to transfer tools into the environment and ex …