Palo Alto Networks on Monday released patches and assigned CVE identifiers for the firewall zero-days that have been exploited in what the company is tracking as Operation Lunar Peek.

The security firm reported learning about a potential zero-day in early November — possibly after seeing a sales offer on a cybercrime forum — and confirmed in-the-wild exploitation of a new vulnerability on November 15. 

On Monday, the cybersecurity giant informed customers that two PAN-OS vulnerabilities have been exploited in these attacks, which targeted “a limited number of management web interfaces that are exposed to internet traffic coming from outside the network”.

One of the zero-days is CVE-2024-0012, a critical authentication bypass flaw that allows an unauthenticated attacker who has access to the PAN-OS management interface to gain admin privileges.

An attacker can “perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474”.

CVE-2024-9474 is the second zero-day apparently spotted in the same attacks. This security hole has been described as a medium-severity privilege escalation issue that allows an attacker who has admin permissions to gain root privileges on the firewall.

The vulnerabilities have been patched with the release of updates for PAN-OS 11.2, 11.1, 11.0, 10.2 and 10.1. Ensuring that the firewall’s management interface is only accessible from trusted internal IP addresses significantly lowers the risk of exploitation. 

The Shadowserver Foundation on Monday reported seeing over 6,600 IPs associated with internet-exposed PAN-OS interfaces, down from 11,000 IPs one week ago. 

Palo Alto is tracking the activity as Operation Lunar Peek, but it has not shared any information on the threat actor behind the attacks. It has, however, shared indicators of compromise (IoCs), including IP addresses and a hash associated with a PHP webshell payload dropped on hacked firewalls.

“This activity has primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services,” the cybersecurity firm noted.

The cybersecurity agency CISA has added CVE-2024-0012 and CVE-2024-9474 to its Known Exploited Vulnerabilities (KEV) catalog, urging government organizations to address the flaws by December 9.

Related: Thousands of Palo Alto Firewalls Potentially Impacted by Exploited Vulnerability

Related: State-Sponsored Hackers Exploit Zero-Day to Backdoor Palo Alto Networks Firewalls

Related: Palo Alto Networks Patches Unauthenticated Command Execution Flaw in Cortex XSOAR