The flaws include an authentication bypass (CVE-2024-0012) in the PAN-OS management web interface, allowing remote attackers to gain admin privileges, and a privilege escalation vulnerability (CVE-2024-9474) enabling execution of commands on firewalls with root access.

CVE-2024-9474 was disclosed earlier this week, while Palo Alto Networks initially alerted users on November 8 about a potential remote code execution flaw, now identified as CVE-2024-0012. The company continues to investigate attacks leveraging these flaws and has confirmed instances of malware deployment and command execution on compromised firewalls.

"This original activity reported on Nov. 18, 2024 primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services," the company stated on Wednesday.

Unit 42, Palo Alto’s threat intelligence team, added, "At this time, Unit 42 assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which will enable broader threat activity."

While Palo Alto claims the impact is limited to "a very small number" of PAN-OS devices, the Shadowserver Foundation reported over 2,700 vulnerable systems globally, with approximately 2,000 already compromised.

In response, the Cybersecurity and Infrastructure Security Agency (CISA) added these vulnerabilities to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch their systems by December 9.

Additionally, CISA flagged another severe vulnerability (CVE-2024-5910) in the Palo Alto Networks Expedition tool, exploited in November, as well as a previous critical flaw (CVE-2024-3400) impacting over 82,000 devices earlier this year.

Palo Alto Networks has urged customers to secure management interfaces:

"Risk of these issues are greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines," the company advised.