CVSS scored these two Palo Alto CVEs as manageable. Chained, they gave attackers root access to 13,000 devices.

More than 13,000 exposed Palo Alto Networks management interfaces were compromised by attackers in November 2024, giving them unauthenticated remote admin access and eventual root access. The attack, known as Operation Lunar Peek, was made possible by two vulnerabilities, CVE-2024-0012 and CVE-2024-9474, which were scored differently by Palo Alto Networks and the National Vulnerability Database (NVD). Palo Alto Networks scored CVE-2024-0012 at 9.3 and CVE-2024-9474 at 6.9 under CVSS v4.0, while the NVD scored the same pair 9.8 and 7.2 under CVSS v3.1. Why this matters to readers is that the scoring of these vulnerabilities had real-world implications for the security of the affected devices. The 6.9 score from Palo Alto Networks was below the patch threshold for many organizations, which meant that the vulnerability was not prioritized for patching. As a result, the vulnerability was left unpatched on many devices, allowing the attackers to exploit it. Background context is important in understanding how this attack was possible. The two vulnerabilities were chained together by the attackers to gain remote admin access to the devices. The first vulnerability, CVE-2024-0012, allowed the attackers to gain initial access to the device, while the second vulnerability, CVE-2024-9474, allowed them to escalate their privileges to root. What to expect next is that organizations will need to re-evaluate their patching priorities and ensure that all vulnerabilities are properly addressed. The fact that the scoring of these vulnerabilities was different between Palo Alto Networks and the NVD highlights the need for a standardized scoring system. Vulnerability scoring systems are critical in helping organizations prioritize their patching efforts. The Common Vulnerability Scoring System (CVSS) is widely used, but as this incident shows, it is not perfect. The difference in scoring between Palo Alto Networks and the NVD highlights the need for a more standardized approach to vulnerability scoring. Chaining vulnerabilities is a common tactic used by attackers to gain access to devices. By exploiting multiple vulnerabilities in a single attack, attackers can gain access to devices that would be difficult or impossible to compromise with a single vulnerability. This highlights the need for organizations to prioritize patching and ensure that all vulnerabilities are properly addressed. The impact of the attack on the affected organizations is still being felt. Many organizations are still trying to recover from the attack and ensure that their devices are secure. The fact that the attack was made possible by two vulnerabilities that were scored differently by Palo Alto Networks and the NVD highlights the need for a more standardized approach to vulnerability scoring and patching. The final takeaway from this incident is that organizations need to be more proactive in addressing vulnerabilities and ensuring that their devices are secure. This includes prioritizing patching efforts and ensuring that all vulnerabilities are properly addressed, regardless of their score. By doing so, organizations can reduce the risk of a successful attack and protect their devices and data.