Attackers gained root access to over 13,000 Palo Alto Networks devices by chaining two vulnerabilities, CVE-2024-0012 and CVE-2024-9474, which are listed on the CISA Known Exploited Vulnerabilities catalog. While these CVEs were scored as manageable by both CVSS v4.0 and v3.1, the triage logic failed to recognize the compound effect when exploited together, leading to severe implications. This incident underscores the limitations of the CVSS system, which assesses vulnerabilities individually and does not account for risks from chained exploits. The threat landscape is further complicated by nation-state actors who now weaponize patches within days of their disclosure, as highlighted in CrowdStrike’s report, emphasizing the need for security measures to evolve in response to rapidly changing attack strategies.

Adam Meyers: Adam Meyers is Senior Vice President of Counter Adversary Operations at CrowdStrike, where he leads threat intelligence and hunting operations tracking global adversary groups. In a recent VentureBeat interview on April 22, 2026, he highlighted operational triage failures in handling chained vulnerabilities like the Palo Alto pair. He emphasized adversaries’ tactics in bypassing severity ratings through combinations that individual CVSS scores overlook.
Chris Gibson: Chris Gibson is Executive Director of FIRST, the Forum of Incident Response and Security Teams, which maintains the CVSS vulnerability scoring standard. In recent commentary, including an April 2026 IETF appeal and interviews, he advocates for advanced prioritization methods. He told The Register that relying solely on CVSS base scores is the least accurate approach for triage.
Jerry Gamblin: Jerry Gamblin is Principal Engineer at Cisco Threat Detection and Response and founder of RogoLabs, specializing in vulnerability forecasting and intelligence through open data tools. Recently posting on NIST NVD updates and VulnCon 2026, he analyzes CVE ecosystem trends. In the news, he addressed the buckling infrastructure under projected CVE volume growth.
Peter Chronis: Peter Chronis is a security leader and former EVP CISO at Paramount Global with Fortune 100 experience in vulnerability management. He has reported success in reducing critical risks by prioritizing beyond CVSS base scores. In the news, he critiqued CVSS as theoretical measures ignoring real-world context.
Daniel Bernard: Daniel Bernard serves as Chief Business Officer at CrowdStrike, driving channel partnerships, alliances, and growth initiatives in cybersecurity. Recently active in discussions on ecosystem collaborations, he addresses evolving threat dynamics. In the article, he described the cybersecurity landscape shifting to daily patching due to rapid adversary exploitation of new vulnerabilities.
Palo Alto Networks: Palo Alto Networks is a multinational cybersecurity company headquartered in Santa Clara, California, providing next-generation firewalls, cloud security platforms, and AI-powered threat prevention solutions. Recently recognized with multiple 2026 Google Cloud Partner of the Year awards for integrated security innovations, it helps organizations achieve zero trust architectures. In this news, chained vulnerabilities CVE-2024-0012 and CVE-2024-9474 in its PAN-OS management interfaces enabled unauthenticated root access during Operation Lunar Peek in November 2024.

CVSS Limitations: CVSS scores vulnerabilities individually, failing to capture risks from chained exploits like the Palo Alto pair.
Threat Acceleration: CrowdStrike’s 2026 Global Threat Report documents nation-state actors weaponizing patches within days and AI scaling attacks.
NVD Prioritization Shift: NIST updated NVD operations on April 15, 2026, to enrich only KEV catalog and federal critical software amid surging submissions.