The number of internet-exposed Palo Alto Networks firewalls has been dropping, but roughly 2,000 devices have already been compromised, according to the Shadowserver Foundation.

Palo Alto Networks learned about a potential PAN-OS zero-day in early November and confirmed in-the-wild exploitation of a new vulnerability on November 15. On November 18, the security firm announced the release of patches for impacted firewalls and clarified that two vulnerabilities have been exploited in malicious attacks.

One of them is CVE-2024-0012, a critical authentication bypass vulnerability that allows an unauthenticated attacker who has access to a firewall’s management interface to gain administrator privileges.

The second flaw, CVE-2024-9474, is a medium-severity issue that allows an attacker to gain root privileges on the firewall. CVE-2024-0012 and CVE-2024-9474 have been chained in attacks.

Updates for PAN-OS 11.2, 11.1, 11.0, 10.2 and 10.1 patch the vulnerabilities. PA, VM, and CN series firewalls are impacted, as well as Panorama (virtual and M series) products.

Ensuring that the firewall’s management interface is only accessible from trusted internal IPs significantly lowers the risk of exploitation.     

While the number of internet-exposed PAN-OS interfaces has decreased from 11,000 on November 10 to approximately 2,700 on November 20, the Shadowserver Foundation on Thursday reported seeing roughly 2,000 instances of compromised firewalls.

The non-profit cybersecurity organization said most of the hacked devices are located in the United States and India. 

SecurityWeek has reached out to Palo Alto Networks for comment on the data from Shadowserver, but has not heard back by the time of writing. 

Security operations company Arctic Wolf started seeing attacks against customer environments on November 19. 

“Upon successful exploitation, we have observed threat actors attempting to transfer tools into the environment and exfiltrate config files from the compromised devices,” the company said. 

WatchTowr has made public technical details and proof-of-concept (PoC) code, which Arctic Wolf believes will lead to more attacks. 

Palo Alto, which is tracking the initial zero-day exploitation as Operation Lunar Peek, has not shared any information on who was behind the attacks. It has, however, shared indicators of compromise (IoCs) to enable organizations to detect attacks.  

UPDATE: Palo Alto Networks has responded to SecurityWeek’s inquiry, saying that while it cannot provide the exact number of compromised firewalls, the company believes the actual number is smaller than what Shadowserver is reporting.

The company said a vast majority of customers follow industry best practices and secure their management interfaces, and only less than 0.5% of its firewalls have an internet-exposed interface.

Palo Alto also noted that it has observed threat activity on a limited number of firewall management interfaces and it has been providing assistance to impacted customers.   

Related: Oracle Patches Exploited Agile PLM Zero-Day

Related: Exploitation Attempts Target Citrix Session Recording Vulnerabilities

Related: CISA Warns of Progress Kemp LoadMaster Vulnerability Exploitation