CVSS Triage Logic Broke Down: How Two 'Manageable' Palo Alto Vulnerabilities Enabled Root Access to 13,000 Devices

In November 2024, during an operation tracked as Operation Lunar Peek, threat actors chained two Palo Alto Networks vulnerabilities to compromise more than 13,000 exposed management interfaces, gaining unauthenticated remote administrative access that escalated to root-level control. The critical failure point was not a zero-day unknown to defenders—it was the triage logic that consumed CVSS severity scores as standalone risk indicators. One of the two CVEs received a 6.9 from Palo Alto Networks under CVSS v4.0, placing it below organizational patch thresholds. The other scored 9.3 but sat queued for scheduled maintenance under the assumption that segmentation would contain exposure. Neither score flagged the kill chain. Both now appear on the CISA Known Exploited Vulnerabilities catalog.

The scoring discrepancy between Palo Alto Networks and the National Vulnerability Database amplified the failure. Palo Alto scored CVE-2024-0012 at 9.3 and CVE-2024-9474 at 6.9 under CVSS v4.0. NVD scored the same pair 9.8 and 7.2 respectively under CVSS v3.1. The 6.9 fell below patch thresholds. The 9.3 sat in a maintenance queue. Adversaries weaponized exactly this gap between individual CVE assessments and combined exploit potential. Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, described the triage logic in pointed terms: "They just had amnesia from 30 seconds before." Speaking to VentureBeat, Meyers noted that adversaries systematically circumvent severity ratings by chaining vulnerabilities in ways that no single score predicts.

The case surfaces a structural vulnerability in how organizations ingest and act on CVSS data. Management interfaces with broad network access represent a high-value attack surface precisely because full compromise—not partial—is the goal. When severity scores guide patch sequencing, the assumption that individual ratings capture holistic risk becomes a liability. The Palo Alto incident illustrates how reasonable triage decisions, made in isolation, can converge into catastrophic exposure. Security teams are now under renewed pressure to reassess whether vendor-provided severity scores adequately reflect chained exploit scenarios, particularly for externally facing management planes.