CVSS scored these two Palo Alto CVEs as manageable. Chained, they gave attackers root access to 13,000 devices.

CVSS scored these two Palo Alto CVEs as manageable. Chained, they gave attackers root access to 13,000 devices.

Vulnerability Scoring System Criticized After Palo Alto Network Breach

Section 1 – What happened?

Attackers were able to gain unauthenticated remote admin access and eventually root access to over 13,000 exposed Palo Alto Networks management interfaces during Operation Lunar Peek in November 2024. The vulnerabilities exploited, CVE-2024-0012 and CVE-2024-9474, were scored by Palo Alto Networks at 9.3 and 6.9, respectively, under the Common Vulnerability Scoring System (CVSS) version 4.0. However, the National Vulnerability Database (NVD) scored the same pair at 9.8 and 7.2 under CVSS version 3.1. The CVSS scores did not flag the vulnerabilities as particularly severe, with the 6.9 score falling below patch thresholds and the 9.3 score being queued for maintenance. Despite this, attackers were able to chain the vulnerabilities together to gain root access to thousands of devices.

Section 2 – Background & Context

The CVSS scoring system is widely used to evaluate the severity of vulnerabilities. However, experts have long argued that the system has limitations, particularly in ignoring real-world context and the potential for attackers to chain vulnerabilities together. This criticism has been echoed by several security leaders, including Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, and Peter Chronis, former CISO of Paramount. In fact, Chronis reported that by moving beyond CVSS-first prioritization at Paramount, he was able to reduce actionable critical and high-risk vulnerabilities by 90%.

Section 3 – Impact on Swiss SMEs & Finance

The Palo Alto Networks breach highlights the potential risks of relying solely on CVSS scores to prioritize vulnerability remediation. In the Swiss financial sector, where SMEs and large institutions alike rely on secure networks and systems, this vulnerability is particularly relevant. If attackers are able to exploit chained vulnerabilities to gain root access to thousands of devices, the consequences for the financial sector could be severe. It is essential for Swiss financial institutions to move beyond CVSS-first prioritization and adopt more comprehensive vulnerability management strategies that take into account real-world context and the potential for attackers to chain vulnerabilities together.

Section 4 – What to Watch

As the security community continues to grapple with the limitations of the CVSS scoring system, it will be essential to monitor developments in vulnerability management and threat intelligence. Specifically, readers should watch for advancements in decision-tree logic and exploitation probability models, such as the EPSS and SSVC decision models developed by FIRST and CISA, respectively. Additionally, the Palo Alto Networks breach serves as a reminder of the importance of regular vulnerability scanning and patching, as well as the need for more comprehensive threat intelligence and incident response strategies.

Source

Original Article: CVSS scored these two Palo Alto CVEs as manageable. Chained, they gave attackers root access to 13,000 devices.

Published: April 24, 2026

Author: louiswcolumbus@gmail.com (Louis Columbus)

---

Disclaimer: This article is for informational purposes only and does not constitute financial advice. Consult a licensed financial advisor before making investment decisions.