NAVANEM
CVE-2024-0012⚡ exploited in the wild

Palo Alto PAN-OS, authentication bypass in management web interface

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions.

Overview

CVE-2024-0012 is a critical authentication bypass vulnerability in Palo Alto Networks PAN-OS software affecting the management web interface. An unauthenticated attacker with network access to the management web UI can bypass authentication entirely and gain PAN-OS administrator privileges. This vulnerability was mass-exploited in the wild as part of a campaign named 'Operation Lunar Peek' in November 2024, often chained with CVE-2024-9474 to achieve pre-authentication root remote code execution on vulnerable firewalls.

Technical Details

The vulnerability exists in the Apache-based management web interface of PAN-OS. It involves a path traversal combined with an improper authentication check that allows an unauthenticated network attacker to bypass authentication mechanisms and directly access administrative endpoints.

When chained with CVE-2024-9474 (a privilege escalation vulnerability), attackers can escalate from administrator access to full root-level code execution on the firewall appliance. The attack chain requires only that the management interface be network-reachable from the attacker's position-no credentials or prior authentication is necessary.

The vulnerability affects the following PAN-OS versions:

  • PAN-OS 11.2 versions below 11.2.4-h1
  • PAN-OS 11.1 versions below 11.1.5-h1
  • PAN-OS 11.0 versions below 11.0.6-h1
  • PAN-OS 10.2 versions below 10.2.12-h2

Impact

The impact of this vulnerability is severe. Successful exploitation grants an unauthenticated attacker full administrative control over the PAN-OS device. When combined with CVE-2024-9474, attackers achieve root-level access, enabling them to:

  • Deploy webshells for persistent access
  • Modify firewall configurations
  • Intercept or manipulate network traffic
  • Pivot to internal networks
  • Exfiltrate sensitive data

Palo Alto Networks' Unit 42 threat intelligence team observed active exploitation beginning before public disclosure, with widespread webshell deployments on Internet-exposed management interfaces during mid-November 2024. CISA added both CVEs to the Known Exploited Vulnerabilities (KEV) catalog shortly after the advisory was published.

Mitigation

  • Patch immediately: Upgrade to PAN-OS versions 11.2.4-h1, 11.1.5-h1, 11.0.6-h1, 10.2.12-h2, or later
  • Restrict management interface access: Remove any Internet exposure of the management interface; restrict access to trusted internal networks only
  • Assume compromise: If the management interface was Internet-reachable prior to patching, assume the device may be compromised and conduct a full investigation

Detection

  • Conduct IOC sweeps for webshells and unauthorized configuration changes on PAN-OS devices
  • Review access logs for the management interface for anomalous or unauthorized access attempts
  • Monitor for unexpected administrative actions or new administrator accounts
  • Check for indicators published by Unit 42 related to Operation Lunar Peek