CISA Orders Federal Agencies to Patch Palo Alto Firewall Flaw Being Exploited Now

A misconfigured URL filtering setting in Palo Alto Networks firewall software is letting attackers weaponise the firewalls themselves — turning them into unwitting cannons pointed at other targets.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial style, 16:9 framing, edge-to-edge composition
Share

Key points

  • CVE-2022-0028, a high-severity flaw in Palo Alto Networks' PAN-OS firewall software, was added to CISA's Known Exploited Vulnerabilities Catalog in August 2022.
  • U.S. federal agencies were ordered to apply patches by September 9, 2022.
  • The bug affects six PAN-OS version lines across PA-Series hardware, VM-Series virtual, and CN-Series container firewalls.
  • Palo Alto Networks says the vulnerable configuration is uncommon and likely set up by mistake, not by design.
  • Patches are available now for all affected versions.

Palo Alto Networks makes the firewall equipment — hardware and software that stands between a company's internal network and the open internet — used by governments, hospitals, banks, and businesses worldwide. This month, researchers found a flaw in that software serious enough that the U.S. Cybersecurity and Infrastructure Security Agency, the federal body that coordinates the country's cyber defences, issued an urgent public warning.

The bug, tracked as CVE-2022-0028, lives in PAN-OS — the operating system that runs Palo Alto's firewalls. It lets an outside attacker, without ever logging in or proving any identity, trick a vulnerable firewall into firing a flood of junk traffic at a target of the attacker's choosing. That technique is called a reflected and amplified denial-of-service attack. Think of it like redirecting a firehose: the attacker gives the firewall the address of a victim, and the firewall does the flooding.

How did the hackers get in?

They didn't need to "get in" — that's what makes this unusual. The flaw doesn't require breaking into the firewall. It only requires that the firewall has a specific URL filtering setting switched on in a particular way. URL filtering is a feature that blocks employees from visiting certain categories of website. If an administrator set up that filter with one or more blocked categories attached to a rule that faces the open internet, the firewall becomes vulnerable. Palo Alto Networks believes most administrators didn't intend to create this configuration; it appears to be an accidental by-product of common setup steps.

Six version lines of PAN-OS carry this flaw. The fixed versions are PAN-OS 10.2.2-h2, 10.1.6-h6, 10.0.11-h1, 9.1.14-h4, 9.0.16-h3, and 8.1.23-h1. If your organisation's Palo Alto firewall runs anything older than those, it needs updating now.

CISA added CVE-2022-0028 to its Known Exploited Vulnerabilities Catalog — a curated list of flaws confirmed to be actively abused in the real world — on a Monday in late August. Federal agencies had until September 9, 2022 to patch. CISA also strongly recommends private businesses treat the list as a priority queue.

The practical danger here is not that attackers steal your data. It's that your firewall gets drafted into someone else's attack, hammering a third party's website or service offline without your knowledge. Businesses hit by that flood of traffic can lose hours of revenue and customer access.

If you run a Palo Alto Networks firewall, check the version and apply the available patch. If you manage IT for a smaller organisation and rely on a third-party provider to handle your firewalls, ask them directly whether this patch has been applied.

© 2026 Threat Vectr