Chained Palo Alto CVEs expose 13,000 devices, revealing gaps in CVSS scoring

In November 2024, attackers gained unauthenticated remote admin access across more than 13,000 exposed Palo Alto Networks management interfaces Palo Alto Networks scored CVE-2024-0012 at 9.3 and CVE-2024-9474 at 6.9 under CVSS v4.0. The 6.9 score fell below many enterprise patch thresholds because admin access appeared required. When combined, the authentication "Adversaries circumvent severity ratings Both CVEs sit on the CISA Known Exploited Vulnerabilities catalog. Neither score flagged the kill chain. The triage logic treated each CVE as an isolated event, as did the SLA dashboards and board reports those dashboards feed. CVSS was designed to score one vulnerability at a time. The problem is that adversaries do not attack one vulnerability at a time. Peter Chronis, former CISO of Paramount, wrote that CVSS base scores are theoretical measures of severity that ignore real-world context. In 2025, 48,185 CVEs were disclosed, a 20.6% year-over-year increase. Jerry Gamblin, principal engineer at Cisco Threat Detection and Response, projects 70,135 for 2026. NIST announced on April 15 that CVE submissions have grown 263% since 2020, and the NVD will now prioritize enrichment for KEV and federal critical software only.