It is estimated that a campaign abusing the recently revealed security flaws compromised up to 2,000 Palo Alto Networks devices. The vulnerabilities in question are a combination of privilege escalation and authentication bypass, which could enable malicious actions by a bad actor. Additionally, the network security vendor has cautioned that once an exploit combining the two vulnerabilities becomes available, cyberattacks targeting the security flaws are likely to intensify.
It added that it has seen both automated and manual scanning activity, so users must secure access to the management interface in accordance with suggested best practice deployment guidelines and apply the most recent fixes as soon as possible. Because the Shadowserver Foundation only displays firewalls with management interfaces open to the internet, the true number of infected devices is lower than what they have reported. Exploitation attempts in the wild have "dramatically increased" since a legitimate proof-of-concept (PoC) exploit was made public on November 19, 2024, according to cloud security company Wiz.
Threat actors have been seen using the vulnerabilities as weapons to launch Sliver implants, web shells, and cryptocurrency miners. It stated that most of its clients already adhere to industry best practices and secure their management interfaces in addition to helping impacted clients. Additionally, it stated that less than
0.5% of its firewalls have an interface that is exposed to the internet.