Root Access Rampage: Managing Palo Alto CVEs on 13,000 Devices

During Operation Lunar Peek in November 2024, attackers gained unauthenticated remote admin access — and eventual root — across more than 13,000 exposed Palo Alto Networks management interfaces. Palo Alto Networks scored CVE-2024-0012 at 9.3 and CVE-2024-9474 at 6.9 under CVSS v4.0. NVD scored the same pair 9.8 and 7.2 under CVSS v3.1. Two scoring systems. Two different answers for the same vulnerabilities. The 6.9 fell below patch thresholds. Admin access appeared required. The 9.3 sat queued for maintenance. Segmentation would hold.

“Adversaries circumvent [severity ratings] by chaining vulnerabilities together,” Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, told VentureBeat in an exclusive interview on April 22, 2026. On the triage logic that missed the chain: “They just had amnesia from 30 seconds before.”

Both CVEs sit on the CISA Known Exploited Vulnerabilities catalog. Neither score flagged the kill chain. The triage logic that consumed those scores treated each CVE as an isolated event, and so did the SLA dashboards and the board reports those dashboards feed.

CVSS did exactly what it was designed to do. Score one vulnerability at a time. The problem is that adversaries do not attack one vulnerability at a time.

“CVSS base scores are theoretical measures of severity that ignore real-world context,” wrote Peter Chronis, former CISO of Paramount and a security leader with Fortune 100 experience. By moving beyond CVSS-first prioritization at Paramount, Chronis reported reducing actionable critical and high-risk vulnerabilities by 90%. Chris Gibson, executive director of FIRST, the organization that maintains CVSS, has been equally direct: using CVSS base scores alone for prioritization is “the least apt and accurate” method, Gibson told The Register. FIRST’s own EPSS and CISA’s SSVC decision model address part of this gap by adding exploitation probability and decision-tree logic.

Five triage failure classes CVSS was never designed to catch

In 2025, 48,185 CVEs were disclosed, a 20.6% year-over-year increase. Jerry Gamblin, principal engineer at Cisco Threat Detection and Response, projects 70,135 for 2026. The infrastructure behind the scores is buckling under that weight. NIST announced on April 15 that CVE submissions have grown 263% since 2020, and the NVD will now prioritize enrichment for KEV and federal critical software only.

1. Chained CVEs that look safe until they aren’t

The Palo Alto pair from Operation Lunar Peek is the textbook. CVE-2024-0012 bypassed authentication. CVE-2024-9474 escalated privileges. Scored separately under both CVSS v4.0 and v3.1, the escalation flaw filtered below most enterprise patch thresholds because admin access appeared required. The authentication bypass upstream eliminated that prerequisite entirely. Neither score communicated the compound effect.

Meyers described the operational psychology: teams assessed each CVE independently, deprioritized the lower score, and queued the higher one for maintenance.

2. Nation-state adversaries who weaponize patches within days

The CrowdStrike 2026 Global Threat Report documented a 42% year-over-year increase in vulnerabilities exploited as zero-days before public disclosure. Average breakout time across observed intrusions: 29 minutes. Fastest observed breakout: 27 seconds. China-nexus adversaries weaponized newly patched vulnerabilities within two to six days of disclosure.

“Before it was Patch Tuesday once a month. Now it’s patch every day, all the time. That’s what this new world looks like,” said Daniel Bernard, Chief Business Officer at CrowdStrike. A KEV addition treated as a routine queue item on Tuesday becomes an active exploitation window by Thursday.

3. Stockpiled CVEs that nation-state actors hold for years

Salt Typhoon accessed senior U.S. political figures’ communications during the presidential transition by chaining CVE-2023-20198 with CVE-2023-20273 on internet-facing Cisco devices, a privilege escalation pair patched in October 2023 and still unapplied more than a year later. Compromised credentials provided a parallel entry vector. The patches existed. Neither was applied.

Sixty-seven percent of vulnerabilities exploited by China-nexus adversaries in 2025 were remote code execution flaws providing immediate system access, according to the CrowdStrike 2026 Global Threat Report. CVSS does not degrade priority based on how long a CVE has gone unpatched. No board metric tracks aging KEV exposure.

That silence is the vulnerability.

4. Identity gaps that never enter the scoring system

A 2023 help desk social engineering call against a major enterprise produced more than $100 million in losses. No CVE was assigned. No CVSS score existed. No patch pipeline entry was created. The vulnerability was a human process gap in identity verification, sitting entirely outside the scoring system’s aperture.

“A pro needs a zero day if all you have to do is call the help desk and say I forgot my password,” Meyers said.

Agentic AI systems now carry their own identity credentials, API tokens, and permission scopes, operating outside traditional vulnerability management governance. Merritt Baer, CSO at Enkrypt AI, has argued on record that identity-surface controls are vulnerability equivalents belonging in the same reporting pipeline as software CVEs. In most organizations, help desk authentication gaps and agentic AI credential inventories live in a separate governance silo. In practice, nobody’s governance.

5. AI-accelerated discovery that breaks pipeline capacity

Anthropic’s Claude Mythos Preview demonstrated autonomous vulnerability discovery, finding a 27-year-old signed integer overflow in OpenBSD’s TCP SACK implementation across roughly 1,000 scaffold runs at a total compute cost under $20,000. Meyers offered a thought-experiment projection in the exclusive interview with VentureBeat: if frontier AI drives a 10x volume increase, the result is approximately 480,000 CVEs annually. Pipelines built for 48,000 break at 70,000 and collapse at 480,000. NVD enrichment is already gone for non-KEV submissions.

“If the adversary is now able to find vulnerabilities faster than the defenders or the business, that’s a huge problem, because those vulnerabilities become exploits,” said Daniel Bernard, Chief Business Officer at CrowdStrike.

CrowdStrike on Friday launched Project QuiltWorks, a remediation coalition with Accenture, EY, IBM Cybersecurity Services, Kroll, and OpenAI formed to address the vulnerability volume that frontier AI models are now generating in production code.

Addressing Pipeline Security Challenges: A Comprehensive Action Plan for Security Directors

When faced with a pipeline problem, collaboration among major firms is crucial as no single organization can keep up with the pace of patch workflows. To effectively tackle this issue, security directors can implement a strategic action plan that aligns with the specific failure classes identified.

Conduct a thorough chain-dependency audit on all KEV CVEs within the environment this month. Identify and flag any co-resident CVEs with a score of 5.0 or above, as these are indicative of potential privilege escalation and lateral movement capabilities. Critical attention should be given to pairs chaining authentication bypass to privilege escalation, regardless of individual scores.

Reduce the KEV-to-patch SLAs for internet-facing systems to 72 hours. Recent data from the CrowdStrike 2026 Global Threat Report highlights the need for faster response times, with an average of 29 minutes and a fastest time of 27 seconds for patch deployment. Weekly patch windows are no longer defensible in a board presentation in light of this information.

Create a monthly KEV aging report to present to the board. This report should include details on unpatched KEV CVEs, days since disclosure, days since patch availability, and responsible owners. Highlighting instances like the Salt Typhoon attack, where a Cisco CVE was exploited 14 months after patch availability due to aging exposure, can emphasize the importance of timely patching.

Integrate identity-surface controls into the vulnerability reporting pipeline. Addressing authentication gaps in help desk systems and agentic AI credential inventories within the same SLA framework as software CVEs is essential. Siloed governance structures can lead to oversight and must be avoided for effective vulnerability management.

Assess pipeline capacity by stress-testing at 1.5x and 10x the current CVE volume. With projections indicating a significant increase in CVE volume, it is crucial to identify and address any capacity gaps. Presenting this information to the CFO before the next budget cycle can help prevent breaches resulting from insufficient pipeline capacity.

By implementing these targeted actions, security directors can proactively address pipeline security challenges and enhance overall vulnerability management within their organizations.