CISA Issues Urgent Patch Mandate for Palo Alto Networks Firewalls Following Evidence of Active Exploitation in Reflected Denial-of-Service Attacks

The United States Cybersecurity and Infrastructure Security Agency (CISA) has officially added a high-severity vulnerability affecting Palo Alto Networks’ PAN-OS software to its Known Exploited Vulnerabilities (KEV) Catalog, signaling that threat actors are actively leveraging the flaw in real-world attacks. The vulnerability, tracked as CVE-2022-0028, involves a specific misconfiguration in the firewall’s URL filtering policy that allows remote attackers to enlist the hardware in reflected and amplified Denial-of-Service (DoS) attacks. Following this designation, CISA has issued a directive to federal civilian executive branch agencies, mandating that all vulnerable systems be patched or mitigated by September 9, 2022, to prevent further exploitation and potential infrastructure disruption.

The alert comes as a stark reminder of the persistent interest malicious actors have in edge-of-network devices. Firewalls, which are designed to serve as the primary line of defense for corporate and government networks, are increasingly being subverted to facilitate attacks rather than block them. In the case of CVE-2022-0028, the flaw does not necessarily allow for data exfiltration or unauthorized access to internal resources; instead, it transforms the robust processing power and high-bandwidth capabilities of Palo Alto Networks’ PA-Series, VM-Series, and CN-Series devices into a weaponized tool for overwhelming third-party targets.

Technical Analysis of CVE-2022-0028 and the RDoS Mechanism

At its core, CVE-2022-0028 is a vulnerability rooted in how PAN-OS handles URL filtering when certain non-standard configurations are active. Palo Alto Networks disclosed that the flaw exists when a firewall configuration includes a URL filtering profile with one or more blocked categories assigned to a security rule, and that rule has a source zone featuring an external-facing network interface. Under these specific conditions, the firewall can be manipulated into participating in a Reflected Denial-of-Service (RDoS) attack.

In a typical RDoS attack, the perpetrator does not send traffic directly to the victim. Instead, they send packets to a third-party "reflector"—in this case, the Palo Alto Networks firewall—while spoofing the source IP address to match the victim’s IP. The reflector then sends a response to the victim. If the response is significantly larger than the initial request, the attack is considered "amplified." This allows an attacker with limited bandwidth to generate a massive, overwhelming flow of traffic directed at a target, effectively knocking them offline.

Specifically, the Palo Alto Networks vulnerability involves TCP-based reflection. When the firewall receives a spoofed packet, it may attempt to process the URL filtering request. If the category is blocked, the system generates a response. Because of the misconfiguration, this response is directed back to the spoofed IP (the victim). If the victim does not acknowledge the packet, the firewall’s TCP stack may continue to retransmit the SYN-ACK packets, leading to a sustained amplification effect. This type of attack is particularly insidious because the traffic appears to originate from a legitimate, high-reputation source—a security appliance—making it harder for the victim’s automated defenses to filter out without accidentally blocking legitimate services.

Scope of Impact: Affected Products and OS Versions

The vulnerability is widespread across the Palo Alto Networks ecosystem, affecting various form factors including physical hardware, virtualized environments, and containerized deployments. The following versions of PAN-OS have been identified as vulnerable, and users are urged to transition to the specified patched releases:

• PAN-OS 10.2: Versions prior to 10.2.2-h2 are vulnerable.
• PAN-OS 10.1: Versions prior to 10.1.6-h6 are vulnerable.
• PAN-OS 10.0: Versions prior to 10.0.11-h1 are vulnerable.
• PAN-OS 9.1: Versions prior to 9.1.14-h4 are vulnerable.
• PAN-OS 9.0: Versions prior to 9.0.16-h3 are vulnerable.
• PAN-OS 8.1: Versions prior to 8.1.23-h1 are vulnerable.

Palo Alto Networks has emphasized that for a system to be at risk, it must meet a specific set of criteria that the company describes as "unintended by the network administrator." Specifically, the firewall must be configured to perform URL filtering on traffic originating from the untrusted (external) zone. While this is not a common practice for most standard enterprise deployments—which typically focus URL filtering on internal users heading out to the internet—it is a configuration that exists in certain service provider environments or complex multi-tenant architectures.

Chronology of Discovery and Response

The timeline of CVE-2022-0028 highlights the rapid transition from discovery to active exploitation. In early August 2022, Palo Alto Networks was alerted to an unusual spike in reflected TCP traffic by a service provider. Upon investigation, the company identified that its appliances were being utilized as reflectors.

• August 10, 2022: Palo Alto Networks issued its initial security advisory (PAN-SA-2022-0003), disclosing the vulnerability and providing temporary workarounds for organizations unable to patch immediately.
• August mid-month: Security researchers and monitoring firms began observing an uptick in scanning activity targeting the specific ports and configurations associated with this flaw.
• August 22, 2022: CISA officially added CVE-2022-0028 to the KEV Catalog. This move was based on evidence of active exploitation, which, according to CISA’s criteria, means the flaw is being used by "known threat actors" in the wild.
• September 9, 2022: The deadline set by CISA for all federal agencies to apply the necessary patches.

While Palo Alto Networks initially stated that the vulnerability was only exploitable on a limited number of systems under specific conditions, the CISA designation suggests that attackers have been successful in finding and weaponizing those specific instances. To date, there have been no public reports of major outages caused specifically by this exploit, but the potential for a coordinated large-scale RDoS attack remains a significant concern for global internet stability.

The Broader Context of Volumetric DDoS Attacks

The exploitation of CVE-2022-0028 is part of a broader, more concerning trend in the cybersecurity landscape: the evolution of Distributed Denial-of-Service (DDoS) attacks. For years, attackers relied on simple "botnets" of compromised computers or IoT devices to flood targets with traffic. However, as defensive technologies like scrubbing services and Content Delivery Networks (CDNs) have improved, attackers have turned to reflection and amplification to increase their "bang for the buck."

Historically, protocols like DNS (Domain Name System), NTP (Network Time Protocol), and SNMP (Simple Network Management Protocol) have been the primary vectors for amplification. For instance, a small 60-byte DNS query can result in a 3,000-byte response, a 50x amplification factor. By finding a vulnerability in a high-performance security appliance like a Palo Alto Networks firewall, attackers can achieve similar or even greater amplification factors using TCP, which is generally more difficult to spoof but more disruptive when successfully reflected.

The impact of these volumetric attacks is measured in more than just "downed" websites. For modern enterprises, a DDoS attack can result in significant revenue loss, the interruption of critical customer-facing services, and the distraction of IT security teams, who may be forced to deal with the traffic flood while a secondary, more surgical attack (such as ransomware or data theft) occurs simultaneously.

CISA’s Role and the Significance of the KEV Catalog

CISA’s decision to mandate patching for this vulnerability underscores the agency’s proactive stance under Binding Operational Directive (BOD) 22-01. Established in November 2021, BOD 22-01 requires federal agencies to remediate vulnerabilities identified by CISA as having been exploited in the wild. The KEV Catalog serves as the "to-do list" for the nation’s cybersecurity defenders.

The inclusion of a Palo Alto Networks flaw in this catalog is significant because it highlights that even top-tier security vendors are not immune to architectural flaws that can be turned against the user. CISA’s move is intended to create a "herd immunity" effect; by forcing federal agencies to patch quickly, the agency reduces the total number of available "reflectors" on the internet, thereby diminishing the overall capacity for attackers to launch massive RDoS attacks.

Cybersecurity experts suggest that while the mandate technically only applies to federal agencies, private sector organizations should treat the September 9 deadline as a benchmark for their own security posture. "When CISA puts a bug in the KEV, it’s no longer a theoretical risk," says one independent security analyst. "It means the door is already open, and someone has already walked through it."

Remediation and Strategic Implications

For organizations utilizing Palo Alto Networks firewalls, the primary recommendation is to update PAN-OS to the latest available hotfix version. For those who cannot patch immediately, Palo Alto Networks suggests a mitigation strategy: disabling the "Packet Based Attack Protection" or ensuring that URL filtering is not applied to traffic originating from external zones where the source IP cannot be verified.

However, the strategic implication of CVE-2022-0028 goes beyond a simple patch. It raises questions about "Secure by Design" principles. As firewalls become more complex—incorporating deep packet inspection, URL filtering, and AI-driven threat detection—the attack surface of the firewall itself expands. This event serves as a case study in why "default-deny" postures and rigorous configuration audits are essential.

In conclusion, the active exploitation of CVE-2022-0028 represents a sophisticated use of enterprise-grade hardware to facilitate network-level disruption. The swift response from CISA and the mandatory patching deadline reflect the high stakes involved in modern infrastructure protection. As the September 9 deadline approaches, the global security community will be watching to see if the reduction in vulnerable reflectors successfully blunts the impact of this emerging RDoS vector. Organizations are urged not to wait for the deadline, as the window for exploitation remains open as long as the systems remain unpatched.