How Two Palo Alto CVEs Together Unlocked Root Access to 13,000 Devices

Security teams often rely on severity scores like CVSS to prioritize patching, yet a recent attack on Palo Alto Networks devices proves why that approach can fail catastrophically. In November 2024, attackers exploited two vulnerabilities—CVE-2024-0012 and CVE-2024-9474—in tandem to bypass authentication and escalate privileges, gaining root access to over 13,000 exposed management interfaces. The attack, dubbed Operation Lunar Peek, demonstrated how seemingly isolated flaws can combine to devastating effect when threat actors exploit them sequentially.

The Vulnerabilities Behind the Attack

CVE-2024-0012, an authentication bypass flaw, allowed attackers to sidestep login requirements entirely. CVE-2024-9474, a privilege escalation issue, then elevated their access to root level. Individually, both vulnerabilities received moderate-to-high CVSS scores under different scoring systems:

• CVSS v4.0: CVE-2024-0012 (9.3), CVE-2024-9474 (6.9)
• CVSS v3.1: CVE-2024-0012 (9.8), CVE-2024-9474 (7.2)

The lower scores for CVE-2024-9474 in particular led many teams to deprioritize it, assuming admin access was required—a misconception that the preceding authentication bypass eliminated entirely. "Adversaries circumvent severity ratings by chaining vulnerabilities together," noted Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike. "They just had amnesia from 30 seconds before."

Why Scoring Systems Missed the Threat

The attack highlights a critical flaw in traditional vulnerability triage: CVSS scores evaluate risks in isolation, while real-world attacks rarely operate that way. Both CVEs appeared on the CISA Known Exploited Vulnerabilities catalog, yet neither score flagged the compound risk they posed together. Teams assessing each flaw separately—treating them as standalone issues—failed to recognize the kill chain until it was too late.

Peter Chronis, former CISO of Paramount, has been vocal about this limitation. "CVSS base scores are theoretical measures of severity that ignore real-world context," he wrote in a 2022 analysis. Under his leadership, Paramount shifted away from CVSS-centric prioritization, reducing actionable critical and high-risk vulnerabilities by 90%. Chris Gibson, executive director of FIRST—the organization that maintains CVSS—has similarly cautioned that relying solely on CVSS base scores for prioritization is "the least apt and accurate" method.

The Broader Crisis in Vulnerability Management

The Palo Alto incident is not an isolated case. In 2025, 48,185 new CVEs were disclosed, a 20.6% increase from the prior year. Jerry Gamblin, principal engineer at Cisco Threat Detection and Response, projects that number will rise to 70,135 in 2026. The infrastructure supporting vulnerability scoring is struggling to keep pace:

• NIST reported a 263% surge in CVE submissions since 2020.
• The agency now prioritizes enrichment only for Known Exploited Vulnerabilities (KEV) and federal critical software.

This backlog creates blind spots. Teams overwhelmed by sheer volume of CVEs often default to prioritizing based on scores alone, missing nuanced threats like chained vulnerabilities, weaponized patches, or long-dormant exploits.

Five Systemic Gaps Security Teams Overlook

1. Chained CVEs that look safe until they aren't

The Palo Alto pair is the textbook example. CVE-2024-0012 bypassed authentication, while CVE-2024-9474 escalated privileges. Separately, neither appeared urgent enough to trigger immediate action. Combined, they formed a complete attack path.

1. Weaponized patches within days of disclosure

According to the CrowdStrike 2026 Global Threat Report, nation-state actors now exploit vulnerabilities as zero-days within 29 minutes on average—sometimes in as little as 27 seconds. China-nexus groups have been observed weaponizing newly patched flaws within two to six days of public disclosure.

1. Stockpiled CVEs held for years

Operation Salt Typhoon exploited unpatched Cisco vulnerabilities (CVE-2023-20198 and CVE-2023-20273) for over a year after patches were available. Sixty-seven percent of vulnerabilities exploited by China-nexus actors in 2025 were remote code execution flaws providing immediate system access. Yet CVSS does not degrade priority based on time since disclosure.

1. Identity gaps that never enter the scoring system

Human-centric risks—like social engineering or misconfigured access controls—often fly under the radar. A 2023 help desk breach at a major enterprise resulted in over $100 million in losses, yet no CVE was assigned, no score calculated, and no patch pipeline entry created.

1. Boardroom blind spots in exposure tracking

While KEV entries are critical, they’re treated as routine queue items rather than ticking time bombs. A KEV flagged on Tuesday can become an active exploitation window by Thursday if left unaddressed.

Moving Beyond CVSS-Centric Security

The solution isn’t to abandon CVSS entirely but to supplement it with threat intelligence and contextual risk models. Frameworks like FIRST’s EPSS (Exploit Prediction Scoring System) and CISA’s SSVC (Stakeholder-Specific Vulnerability Categorization) add layers of real-world context:

• EPSS incorporates exploitation probability.
• SSVC applies decision-tree logic to prioritize based on threat actor activity and asset criticality.

Security teams must also adopt a mindset that treats vulnerabilities as dynamic threats—not static scores. The Palo Alto attack serves as a stark reminder: in cybersecurity, the sum of the parts can be far greater—and far more dangerous—than what each part suggests on its own.

Looking ahead, organizations will need to automate correlation between vulnerabilities, monitor for chaining opportunities, and integrate human-centric risks into their threat models. The era of CVSS-first prioritization is over. The question now is whether security teams will adapt before the next attack exploits the same systemic gaps.