Critical zero-day in PAN-OS: Attacks on internet-exposed firewalls
Palo Alto Networks has detected ongoing attacks exploiting a critical zero-day vulnerability in the PAN-OS User-ID Authentication Portal, also known as Captive Portal. This authentication feature for non-automatically mapped users has a buffer overflow that allows unauthenticated attackers to run arbitrary code with root privileges on internet-exposed PA-Series and VM-Series firewalls.
Quick Response
- The vulnerability is a critical zero-day flaw in the PAN-OS User-ID Authentication Portal
- It allows arbitrary code execution with root privileges on exposed firewalls
- At least 5,800 VM-Series firewalls are currently internet-exposed
- Most vulnerable devices are located in Asia and North America
- Palo Alto Networks recommends limiting access to the portal or disabling it
Technical details of the vulnerability
The flaw, classified with the highest severity level, is caused by a buffer overflow that can be exploited by sending specially crafted packets. Shadowserver is monitoring over 5,800 internet-exposed VM-Series firewalls, with the highest concentration in Asia (2,466) and North America (1,998).
Immediate mitigation measures
Until a patch is available, Palo Alto Networks strongly advises protecting the User-ID Authentication Portal by limiting access to trusted zones only or disabling the portal if possible. Administrators can quickly check if their firewalls use the vulnerable service from the User-ID Authentication Portal Settings page, accessible via Device > User Identification > Authentication Portal Settings.
PAN-OS vulnerability history
PAN-OS firewalls have frequently been targeted by attacks exploiting zero-days. Just in the past year, several serious incidents have been reported: in November 2024, Shadowserver revealed that thousands of firewalls had been compromised by exploiting two chained zero-days, despite Palo Alto Networks downplaying the impact. In December, a DoS vulnerability was discovered that forced firewalls to reboot, disabling protections. In February, attacks emerged that exploited three additional vulnerabilities to compromise firewalls with internet-exposed management interfaces.
Implications for corporate security
With over 70,000 customers worldwide, including 90% of Fortune 10 companies and most major U.S. banks, the vulnerability represents a significant risk to the security of critical infrastructures. Organizations using PA-Series or VM-Series firewalls must act immediately to assess exposure and implement the recommended mitigation measures.
Future perspectives and best practices
Attacks exploiting zero-day vulnerabilities in firewalls are expected to increase. It is essential to adopt a layered security strategy that includes: continuous threat monitoring, implementation of firewall configuration best practices, isolation of management interfaces, and planning for rapid updates when patches become available. Organizations should also consider implementing intrusion detection and response solutions to quickly identify and respond to any attacks.
Additional resources
For more technical information about the vulnerability and detailed instructions for configuring the User-ID Authentication Portal, administrators can consult the official Palo Alto Networks documentation. Additionally, the security bulletin provides regular updates on the status of the vulnerability and mitigation measures.
Analysis of the geographic distribution of vulnerabilities
The geographic concentration of exposed vulnerabilities reveals interesting patterns. Asia, with 2,466 vulnerable firewalls, represents 42% of the total monitored by Shadowserver. This data suggests that many Asian organizations may not have fully implemented the recommended security best practices. North America follows with 1,998 exposed devices, accounting for 34% of the total. In Europe, where cybersecurity awareness is generally higher, only 856 vulnerable firewalls are recorded, representing 15%. These data indicate that mitigation strategies may have been adopted more quickly in this region.
Economic impact of zero-day vulnerabilities
Zero-day vulnerabilities like this can have significant economic repercussions. According to a recent study by the Ponemon Institute, attacks exploiting zero-days can cost organizations up to $4.5 million per incident, including direct costs such as data recovery and indirect costs such as reputational loss. For large banks and Fortune 10 companies using PAN-OS firewalls, the risk is even greater. A single successful attack could compromise sensitive data, disrupt critical services, and lead to regulatory penalties. Additionally, the need to implement temporary security solutions and continuously monitor infrastructures can generate additional operating costs.
Evolution of attacks on PAN-OS firewalls
Analysis of recent attacks on PAN-OS firewalls reveals a concerning evolution in attackers' techniques. In November 2024, aggressors exploited two chained zero-days, demonstrating advanced capability to combine vulnerabilities to maximize impact. In December, the DoS attack that forced firewalls to reboot showed a more destructive approach, aiming to disable security protections. In February, the use of three different vulnerabilities to compromise management interfaces indicated an increase in attack sophistication. This trend suggests that attackers are developing increasingly advanced capabilities to exploit PAN-OS firewall weaknesses, making it essential for organizations to adopt a multi-layered defense strategy.
Advanced defense strategies
In addition to immediate mitigation measures, organizations should consider implementing advanced defense strategies. Adopting a "Zero Trust" approach can help reduce the risk of attacks by continuously verifying user identities and device security status. Implementing network segmentation can limit the spread of attacks within the network. Additionally, deploying intrusion prevention systems (IPS) and endpoint detection and response (EDR) solutions can provide an additional layer of protection. Organizations should also invest in regular security training for their employees to raise awareness of potential threats.
Future perspectives for firewall security
The future of firewall security requires a proactive approach. Adopting advanced technologies such as artificial intelligence and machine learning can improve the ability to detect and respond to emerging threats. Integrating cloud-based security solutions can offer greater flexibility and scalability. Additionally, collaboration between security providers, researchers, and threat intelligence communities can accelerate the development of patches and mitigation solutions. Organizations should also invest in continuous training of their security teams to ensure they are prepared to face evolving threats.
Examples of best practices for firewall configuration
To reduce the risk of zero-day attacks, organizations should adopt the following best practices for configuring PAN-OS firewalls:
- Isolate management interfaces and restrict access to trusted networks only
- Disable unnecessary services, such as the User-ID Authentication Portal, if not required
- Implement strict firewall rules to limit incoming and outgoing traffic
- Continuously monitor security logs to detect suspicious activity
- Keep firmware and patches updated for all firewall components
- Regularly perform penetration testing and security assessments
Editorial Note and Disclaimer
The guides and content published on GoYou are the result of independent research and analysis activities, for informational, educational, and in-depth purposes.
GoYou does not constitute a journalistic publication or an editorial product pursuant to Law No. 62/2001 and does not provide real-time information.
The GoYou project does not provide professional, technical, legal, or financial advice and disclaims any liability for the misuse of the information published.
In the Crypto sector, every investment involves risks: readers are invited to always inform themselves independently before making any decision.