Technology

CVSS scored these two Palo Alto CVEs as manageable. Chained, they gave attackers root access to 13,000 devices.

1 3 minutes read
CVSS scored these two Palo Alto CVEs as manageable. Chained, they gave attackers root access to 13,000 devices.
CVSS scored these two Palo Alto CVEs as manageable Chained.png

In November 2024, during Operation Lunar Peek, attackers successfully gained unauthenticated remote admin access and eventually root access to over 13,000 exposed Palo Alto Networks management interfaces. The vulnerabilities exploited in this operation were scored at 9.3 and 6.9 under CVSS v4.0, and 9.8 and 7.2 under CVSS v3.1 by different scoring systems. These vulnerabilities, identified as CVE-2024-0012 and CVE-2024-9474, were part of the CISA Known Exploited Vulnerabilities catalog.

Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, highlighted in an interview the issue of chaining vulnerabilities together, which often goes unnoticed in traditional vulnerability scoring systems. The triage logic used to assess these vulnerabilities treated each CVE as an isolated event, failing to recognize the compound effect of chained vulnerabilities.

The increase in the number of disclosed CVEs, with a projected 70,135 for 2026, has put a strain on the existing infrastructure for vulnerability scoring. The National Vulnerability Database (NVD) has announced changes to prioritize enrichment for critical software only due to the exponential growth in CVE submissions.

Five triage failure classes were identified that traditional scoring systems like CVSS were not designed to catch. These include chained CVEs, nation-state adversaries weaponizing patches, stockpiled CVEs exploited over time, identity gaps in the scoring system, and AI-accelerated discovery overwhelming existing pipelines.

The need for a more comprehensive approach to vulnerability management was emphasized, with calls for addressing the gaps in scoring systems to better account for the evolving threat landscape. Projects like QuiltWorks, launched by CrowdStrike in collaboration with industry partners, aim to address the challenge of managing the increasing volume of vulnerabilities generated by frontier AI models in production code. As cybersecurity threats continue to evolve, it is essential for security directors to stay ahead of the game and take proactive measures to protect their organizations. When five major firms come together to address a pipeline problem, individual patch workflows may not be enough to keep up with the pace of vulnerabilities. To effectively address this issue, security directors can follow a comprehensive action plan that aligns with the failure classes identified in the coalition’s efforts.

The first action item on the list is to conduct a chain-dependency audit on every Known Exploitable Vulnerability (KEV) Common Vulnerabilities and Exposures (CVE) in the environment within the month. This audit should focus on identifying any co-resident CVEs with a score of 5.0 or above, as these are typically indicators of privilege escalation and lateral movement capabilities. Any pair of vulnerabilities that chain authentication bypass to privilege escalation should be flagged as critical, regardless of their individual scores.

Next, security directors should aim to compress KEV-to-patch Service Level Agreements (SLAs) to 72 hours for internet-facing systems. With data from the CrowdStrike 2026 Global Threat Report indicating an average patch time of 29 minutes, weekly patch windows are no longer defensible in board presentations. By reducing the patching timeframe to 72 hours, organizations can significantly reduce their exposure to potential threats.

Building a monthly KEV aging report for the board is another crucial action item. This report should include information on every unpatched KEV CVE, along with the number of days since disclosure, days since patch availability, and the responsible owner. By highlighting the aging exposure of vulnerabilities, organizations can prioritize their patching efforts and prevent incidents like the Salt Typhoon exploit, which took advantage of a Cisco CVE patched 14 months prior.

In addition, security directors should consider adding identity-surface controls to the vulnerability reporting pipeline. This includes addressing authentication gaps in help desk systems and ensuring that agentic AI credential inventories are part of the same SLA framework as software CVEs. By integrating these controls into the governance process, organizations can mitigate the risk of unauthorized access and data breaches.

Lastly, it is crucial to stress-test pipeline capacity at 1.5x and 10x the current CVE volume to prepare for future challenges. With projections estimating an increase in CVE volume, security directors should present the capacity gap to the CFO before the next budget cycle to ensure that adequate resources are allocated to address potential vulnerabilities.

By following this comprehensive action plan, security directors can strengthen their organization’s cybersecurity posture and effectively mitigate the risks associated with evolving threats. It is essential to stay proactive and continuously assess and improve patch management processes to protect sensitive data and maintain the trust of stakeholders.

Tags
1 3 minutes read

Related Articles

Samsung Galaxy S27: Release Date, Price & Specs Rumours

Samsung Galaxy S27: Release Date, Price & Specs Rumours

9 hours ago
Oppo Pad mini: Hands-on Impressions

Oppo Pad mini: Hands-on Impressions

15 hours ago
85% of enterprises are running AI agents. Only 5% trust them enough to ship.

85% of enterprises are running AI agents. Only 5% trust them enough to ship.

21 hours ago
There’s Never Been a Better Time to Buy the iPhone 17

There’s Never Been a Better Time to Buy the iPhone 17

1 day ago
Back to top button