Critical Palo Alto Networks Zero-Day Exploited for Nearly a Month

Palo Alto Networks issued an urgent advisory warning customers that a critical‑severity zero‑day vulnerability in its PAN‑OS firewall software has been actively exploited by suspected state‑sponsored actors for almost a month. The flaw, which resides in the web‑based management interface’s HTTP header parsing logic, enables an unauthenticated remote attacker to trigger a buffer overflow and execute arbitrary code with root privileges. Early analysis indicates that exploitation began around early January 2025, with the first signs of compromise detected in mid‑January when anomalous traffic patterns were observed on several enterprise edge devices.

The attack chain leverages a specially crafted HTTP request containing an oversized header field that overflows a stack buffer in the management daemon. Successful exploitation grants the attacker a reverse shell, allowing them to deploy a custom backdoor and move laterally within the network. Forensic evidence suggests the adversaries used legitimate administrator credentials to persist on compromised devices, making detection more challenging.

Palo Alto Networks has released emergency patches for all affected PAN‑OS versions (9.1.x, 10.0.x, 10.1.x and later) and urges customers to apply the updates immediately. As an interim mitigation, organizations should disable the management interface from untrusted networks, restrict access to a narrow IP whitelist, and enable the latest threat‑protection signatures that block the known malicious request patterns. Security teams are also advised to review logs for indicators of compromise such as unusual HTTP header lengths, unexpected outbound connections from the management plane, and the presence of any newly installed implants.

Threat intelligence firms have attributed the campaign to an advanced persistent threat (APT) group with known ties to a nation‑state, based on the sophistication of the exploit, the choice of targets, and the use of custom malware that mirrors previously documented tooling. The incident underscores the critical need for timely patch management and proactive monitoring of firewall management interfaces, especially when they are exposed to the Internet. Palo Alto Networks continues to work with law‑enforcement and industry partners to track the actors and disseminate further guidance.