CISA: Just-Disclosed Palo Alto Networks Firewall Bug Under Active Exploit

Lara Seals Managing Editor, News, Dark Reading
August 24, 2022
The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that a high-severity security vulnerability in Palo Alto Networks firewalls is being actively exploited in the wild.

The bug (CVE-2022-0028, with a CVSS severity score of 8.6), exists in the PAN-OS operating system that runs the firewalls, and could allow a remote threat actor to abuse the firewalls to deploy distributed denial-of-service (DDoS) attacks against targets of their choice — without having to authenticate.

Exploitation of the issue can help attackers to cover their tracks and location.

“The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target,” according to the Palo Alto Networks advisory issued earlier this month.

The bug arises thanks to a URL-filtering policy misconfiguration.

Instances that use a non-standard configuration are at risk; to be exploited, the firewall configuration “must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface,” the advisory read.
Exploited in the Wild

Two weeks since that disclosure, CISA said that it has now seen the bug being adopted by cyber adversaries in the wild, and it’s added it to its Known Exploited Vulnerabilities (KEV) catalogue. Attackers can exploit the flaw to deploy both reflected and amplified versions of DoS floods.

Bud Broomhead, CEO at Viakoo, says bugs that can be marshaled into service to support DDoS attacks are in more and more demand.

“The ability to use a Palo Alto Networks firewall to perform reflected and amplified attacks is part of an overall trend to use amplification to create massive DDoS attacks,” he says. “Google’s recent announcement of an attack which peaked at 46 million requests per second, and other record-breaking DDoS attacks will put more focus on systems that can be exploited to enable that level of amplification.”

Article (

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient