A high-severity security vulnerability in Palo Alto Networks firewalls is being actively exploited in the wild, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

The vulnerability (CVE-2022-0028, CVSS severity score of 8.6) exists in the PAN-OS operating system that runs the firewalls and could allow a remote threat actor to exploit them to launch distributed denial-of-service (DDoS) attacks against targets of their choosing — without the need to authenticate.

Having observed the flaw being used in the wild by cyber adversaries two weeks after it was first disclosed, CISA says it has now added it to its list of "Known Exploited Vulnerabilities" (KEV). Attackers can use the vulnerability to launch both mirrored and amplified DDoS floods.

Earlier this month, Palo Alto Networks released an advisory warning of the vulnerability and explaining how it might be exploited to help attackers hide their identities and whereabouts.

According to the company, " the DoS assault appears to have originated from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual), or CN-Series (container) firewall against an attacker-specified target."

According to Phil Neray, VP of cyber-defense strategy at CardinalOps, "the good news is that this vulnerability does not offer attackers access to the victim's internal network." The bad news is that it can interrupt business-critical processes [at other targets], such as order processing and customer support requests.

He observes that, contrary to popular belief, DDoS operations are not limited to nuisance actors: " In the past, adversary groups like APT28 have utilized DDoS against the World Anti-Doping Agency."

Due to a misconfigured URL-filtering strategy, instances with non-standard configurations are vulnerable to the flaw. For the vulnerability to be exploitable, the firewall configuration " must contain a URL filtering profile with one or more prohibited categories assigned to a security rule with a source zone that has an external facing network interface," according to the alert.

According to Bud Broomhead, CEO of Viakoo, vulnerabilities that can be exploited to facilitate DDoS assaults are in high demand among hackers and are progressively being exploited.

"The ability to exploit a Palo Alto Networks firewall to conduct mirrored and amplified attacks is part of a larger trend to use amplification to launch enormous DDoS attacks," he says. "The recent announcement by Google of an attack that peaked at 46 million requests per second, as well as other record-breaking DDoS attacks, will focus more on technologies that can be abused to enable this level of amplification."

The rate of weaponization is likewise consistent with the trend of cyberattackers requiring less time to exploit newly published vulnerabilities, but it also suggests that threat actors are becoming more interested in vulnerabilities of lesser severity.

Too frequently, our researchers observe firms patching the most severe vulnerabilities first based on the CVSS, according to Terry Olaes, director of sales engineering at Skybox Security. Cybercriminals are aware that this is how many businesses approach cybersecurity; thus, they have learned to exploit weaknesses deemed less vital in order to conduct their assaults.

But patch priority remains difficult for enterprises of all shapes and sizes due to the sheer volume of patches revealed each month – hundreds of vulnerabilities that IT teams must filter and evaluate, often without much guidance. In addition, Skybox Research Lab recently discovered that new vulnerabilities exploited in the wild increased by 24% in 2022.

Roger Grimes, data-driven defense advocate at KnowBe4, tells Dark Reading: "Any vulnerability that CISA alerts you about must be patched immediately if you have it in your environment." "The [KEV] enumerates all vulnerabilities that any real-world attacker can exploit against any real-world target. Superior service."

The list is complete: "It contains more than simply Windows and Google Chrome vulnerabilities. A typical computer security professional would be astonished by the items on the list. It contains gadgets, firmware patches, VPNs, DVRs, and a plethora of other items that are not typically considered highly targeted by hackers."

Here is a list of newly exploited PAN-OS bugs; security patches are available in the following versions:

- PAN-OS 8.1.23-h1
- PAN-OS 9.0.16-h3
- PAN-OS 9.1.14-h4
- PAN-OS 10.0.11-h1
- PAN-OS 10.1.6-h6
- PAN-OS 10.2.2-h2
And all later PAN-OS versions for PA-Series, VM-Series, and CN-Series firewalls.

"Organizations should guarantee they have solutions capable of measuring the business impact of cyber-risks into economic impact," Olaes added.

He continued, " In addition to other risk studies, such as exposure-based risk scores, this will assist them in identifying and prioritizing the dangers with the greatest financial impact. In addition, they must improve the maturity of their vulnerability management procedures to swiftly determine whether a vulnerability affects them and how urgently it must be remedied." Grimes suggests that you should also subscribe to CISA's KEV emails. "Subscribers will receive at least one email per week, if not more, detailing the most recent exploited vulnerabilities," he explains. "It's not only a problem with Palo Alto Networks. Not even remotely possible."