CVSS said these Palo Alto CVEs were fine. Chained, they handed root to 13,000 devices

CVE chaining turned two seemingly moderate Palo Alto Networks flaws into a full-scale breach: during Operation Lunar Peek in November 2024, attackers walked into more than 13,000 exposed management interfaces with unauthenticated remote admin access and eventually root. CVSS didn't fail here. It did exactly what it was built to do — score one vulnerability at a time. That's precisely the problem.

How the scoring logic missed the chain

CVE-2024-0012 scored 9.3 under CVSS v4.0 (9.8 under NVD's v3.1 assessment). CVE-2024-9474 landed at 6.9 in v4.0 (7.2 in v3.1). That lower score slipped below most enterprise patch thresholds because it appeared to require prior admin access. What triage teams didn't account for: the first CVE eliminated that prerequisite entirely. Two scoring systems, two different answers, and neither communicated the compound effect. The 9.3 sat queued for maintenance. The 6.9 didn't even make the queue.

What actually happened during Operation Lunar Peek

CVE-2024-0012 bypassed authentication. CVE-2024-9474 escalated privileges to root. Both now sit on CISA's KEV catalog, but no individual score flagged the kill chain. Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, described the operational psychology bluntly: teams assessed each CVE independently, deprioritized the lower score, and queued the higher one for routine maintenance — they "had amnesia from 30 seconds before." The outcome was 13,000 compromised devices across exposed management interfaces.

CVSS isn't broken — it's just being used wrong

Peter Chronis, former CISO of Paramount, reported cutting actionable critical and high-risk vulnerabilities by 90% by moving beyond CVSS-first prioritization. Chris Gibson, executive director of FIRST — the organization that actually maintains CVSS — has stated clearly that using base scores alone for prioritization is "the least apt and accurate" method. Frameworks like EPSS and CISA's SSVC decision model add exploitation probability and decision-tree logic that close part of that gap. But SLA dashboards and board reports still feed on a single number that was never designed to carry that weight.

The broader problem: more CVEs, less time to react

48,185 CVEs were disclosed in 2025, up 20.6% year-over-year, with projections hitting 70,135 for 2026. The CrowdStrike 2026 Global Threat Report found China-nexus adversaries weaponizing newly patched vulnerabilities within two to six days of disclosure. Average breakout time across observed intrusions: 29 minutes. Fastest observed: 27 seconds. NIST has already announced it will only prioritize CVE enrichment for KEV entries and federal critical software — the scoring infrastructure is buckling. And there's an entire attack surface CVSS can't score at all: a 2023 help desk social engineering call cost one major enterprise over $100 million. No CVE was assigned. No score existed. No patch pipeline was triggered. The vulnerability was a human process gap, sitting entirely outside the system's aperture.

The real question isn't whether CVSS has value — it does — but whether organizations will keep making patching decisions as if every flaw lives in isolation when attackers have clearly moved on from that approach.

Source: VentureBeat