CVSS vulnerability triage: 5 failures, 5 fixes

During Operation Lunar Peek in November 2024, attackers gained unauthenticated remote admin access — and eventual root — across more than 13,000 exposed Palo Alto Networks management interfaces. Palo Alto Networks scored CVE-2024-0012 at 9.3 and CVE-2024-9474 at 6.9 under CVSS v4.0. NVD scored the same pair 9.8 and 7.2 under CVSS v3.1. Two scoring systems. Two different answers for the same vulnerabilities. The 6.9 fell below patch thresholds. Admin access appeared required. The 9.3 sat queued for maintenance. Segmentation would hold.

"Adversaries circumvent [severity ratings] by chaining vulnerabilities together," Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, told VentureBeat in an exclusive interview on April 22, 2026. On the triage logic that missed the chain: "They just had amnesia from 30 seconds before."

Both CVEs sit on the CISA Known Exploited Vulnerabilities catalog. Neither score flagged the kill chain. The triage logic that consumed those scores treated each CVE as an isolated event, and so did the SLA dashboards and the board reports those dashboards feed.

CVSS did exactly what it was designed to do. Score one vulnerability at a time. The problem is that adversaries do not attack one vulnerability at a time.

CVSS vulnerability triage: 5 failures, 5 fixes

Other newsrooms on this story

Related reading

Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution

PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage

Maximum Severity Cisco SD-WAN Bug Exploited in the Wild

CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits

Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks

State-backed hackers hammer Palo Alto firewall zero-day before patch lands