The CVSS Score Said Manageable. Attackers Got Root.

When Palo Alto Networks shipped its management plane software, two security holes shipped with it. Both were catalogued in the Common Vulnerabilities and Exposures system, both received CVSS scores that placed them in the manageable-to-moderate range, and both were patched quietly in the ordinary course of vendor maintenance cycles. That should have been the end of the story. Instead, a threat actor operating under the designation Operation Lunar Peek exploited the two vulnerabilities in November 2024 to gain unauthenticated remote administrative access—and, eventually, root-level control—across more than 13,000 exposed management interfaces worldwide.

The gap between how the vulnerabilities were rated and what they enabled has ignited an uncomfortable conversation inside the security industry. CVSS, the Common Vulnerability Scoring System, has been the default language of risk triage for two decades. If it says a flaw scores a 4.3, defenders plan their patching cycles accordingly: low-scores get deprioritized, moderate scores get scheduled, critical scores get dropped into the emergency rotation. The assumption is that the numerical scale reflects real-world exploitability. Operation Lunar Peek is a case study in how badly that assumption can age.

Security researchers who have studied the campaign describe a deliberate, methodical actor who did not stumble onto a zero-day. The two CVEs in question were publicly known and patched before the attack window opened. What made the campaign possible was not a novel exploit—it was the chaining of two modest vulnerabilities in an environment where neither alone would have justified emergency response protocols. One CVE allowed authentication bypass under specific configuration conditions. The other permitted remote code execution once inside the management plane. Chained, they turned a routine enterprise security posture into a fully compromised network of appliances running at the highest trust level in thousands of organizations.

The CVSS system, maintained by FIRST, the Forum of Incident Response and Security Teams, does not score for chaining. Each CVE is evaluated in isolation against a standardized rubric: exploitability metrics, impact metrics, scope metrics. The rubric produces a number. That number is then used by enterprise security teams, cyber insurance underwriters, and vulnerability management platforms to sort risk into actionable buckets. Critics have argued for years that the framework rewards technical severity over contextual exploitability—that a flaw scoring a 5.4 can be more dangerous than a flaw scoring a 7.8 if the former lives in a widely-exposed management interface and the latter requires authenticated local access. Operation Lunar Peek is precisely the scenario those critics have described: two moderate scores, one devastating outcome.

Palo Alto Networks has not disputed the technical substance of the research. The company released patches for both CVEs prior to the attack window and has stated that customers running current firmware versions were not affected. That statement is technically accurate and largely irrelevant to the organizations that had not yet applied the patches. The question the incident surfaces is not whether patches existed—they did—but whether the industry-standard risk communication framework adequately conveyed the urgency of applying them. If two modest CVEs, chained, can deliver root to 13,000 devices, the risk communication framework has a calibration problem.

The security industry has been here before. The WannaCry ransomware campaign in 2017 exploited a vulnerability that Microsoft had patched weeks earlier; organizations that deprioritized the update found themselves encrypting disks across hundreds of thousands of machines. The NotPetya attacks followed a similar pattern. In each case, the patches existed, the scoring was moderate, and the real-world impact was catastrophic. The common thread is not villainy; it is a systematic underestimation of how threat actors combine modest components into devastating outcomes.

What makes the Operation Lunar Peek case particularly pointed for enterprise security teams is the target surface. Palo Alto Networks appliances sit at the perimeter of some of the most security-sensitive enterprise and government networks in the world. They are the gatekeepers. Compromising their management plane does not merely grant access to a single server—it grants privileged positioning for lateral movement into every system the appliance oversees. The 13,000 exposed interfaces identified in the campaign represent not 13,000 isolated devices, but 13,000 potential pivot points into networks where the stakes of compromise are highest.

The response from the vulnerability research community has been a familiar push toward contextual scoring: attack surface exposure, asset criticality, presence in internet-facing management planes, chaining potential. A working group within FIRST has been discussing modifications to the CVSS framework to incorporate attack surface metrics for several years. Operation Lunar Peek will accelerate that conversation. Whether it accelerates it in time to matter for the next campaign is the more pressing question. The 13,000 devices in this campaign were exposed, in many cases, because somewhere in the patch management queue, two moderate-severity CVEs were waiting their turn. The next campaign will likely find another chaining opportunity. The only question is whether the next pair of modest vulnerabilities will be patched before the attackers arrive.

This publication's reporting on cybersecurity incidents prioritizes technical documentation and vendor statements over unverified attribution claims. The operative facts here—two CVEs, two CVSS scores, one chained exploit, 13,000 compromised interfaces—are drawn from the technical analysis published alongside the disclosure.