CVSS scored these two Palo Alto CVEs as manageable. Chained, they gave attackers root access to 13,000 devices.

The CVSS Mirage: Why a 6.9 and a 9.3 Nearly Took Down 13,000 Firewalls

In November 2024, a silent storm swept through the digital infrastructure of organizations worldwide. Dubbed Operation Lunar Peek, this cyber offensive exploited not one, but two vulnerabilities in Palo Alto Networks firewalls—vulnerabilities that, on paper, appeared manageable. Individually scored at 6.9 and 9.3 under the Common Vulnerability Scoring System (CVSS) v4.0, these flaws were treated as isolated risks. But when chained together, they granted attackers unauthenticated remote admin access—and ultimately full root control—over more than 13,000 exposed management interfaces. This wasn’t just a breach; it was a systemic failure of how we assess and prioritize cyber risk.

The incident exposed a critical flaw in modern cybersecurity: CVSS scores, the gold standard for vulnerability severity, are blind to attack chains. They evaluate vulnerabilities in isolation, like diagnosing a single symptom while ignoring the disease. Yet real-world attackers don’t operate that way. They combine weaknesses like a chef combining spices—each one enhancing the flavor of destruction. The result? A cascade of compromise that CVSS alone could never predict.

When Two Weaknesses Become One Catastrophe

CVE-2024-0012, a critical authentication bypass flaw, allowed attackers to gain administrative access without credentials. CVE-2024-9474, a privilege escalation vulnerability, let them climb from admin to root—full system control. On their own, these flaws were concerning but not catastrophic. The 6.9-rated CVE-2024-9474, for instance, fell below many organizations’ patch thresholds. It required admin access to exploit, which most assumed was already protected. The 9.3-rated CVE-2024-0012 was queued for routine maintenance, not emergency patching.

But adversaries didn’t play by those rules. They used the first flaw to gain admin access, then immediately leveraged the second to escalate to root. This two-step kill chain bypassed traditional defenses, including network segmentation, which was designed to contain breaches—not stop them at the perimeter.

Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, described the triage failure bluntly: “They just had amnesia from 30 seconds before.” In other words, security teams evaluated each vulnerability in isolation, forgetting that the first exploit made the second possible. This “amnesia” is a symptom of a deeper problem: our tools and processes are built for atomic threats, not composite attacks.

The CVSS Conundrum: Designed for Simplicity, Destined for Failure

The Common Vulnerability Scoring System (CVSS) was created in the early 2000s to provide a standardized way to assess the severity of software flaws. It assigns scores from 0 to 10 based on exploitability, impact, and scope. A 9.0+ is “critical,” a 7.0–8.9 is “high,” and so on. It’s simple, transparent, and widely adopted.

But simplicity comes at a cost. CVSS evaluates vulnerabilities in isolation, ignoring how they might interact. It doesn’t account for chaining, environmental context, or real-world exploitation trends. As Peter Chronis, former CISO of Paramount, put it: “CVSS base scores are theoretical measures of severity that ignore real-world context.”

At Paramount, Chronis abandoned CVSS-first prioritization and saw a 90% reduction in actionable critical and high-risk vulnerabilities. Instead, his team used threat intelligence, asset criticality, and exploit likelihood to guide patching. This shift wasn’t just about efficiency—it was about survival.

The Triage Trap: Why Dashboards Lie to Boards

Security operations centers (SOCs) rely on dashboards that aggregate CVSS scores into SLAs and board reports. These dashboards often prioritize patching based on score thresholds—say, anything above 7.0 gets patched within 30 days. But this logic is flawed.

In the Palo Alto case, the 6.9-rated CVE was deprioritized because it required admin access. But once the 9.3-rated CVE granted that access, the 6.9 became a critical stepping stone. The dashboard didn’t connect the dots. The board didn’t see the chain. The result? A false sense of security.

Chris Gibson, executive director of FIRST (the organization that maintains CVSS), admitted that using CVSS base scores alone for prioritization is “the least apt and accurate” method. FIRST has since developed EPSS (Exploit Prediction Scoring System), which uses machine learning to predict the likelihood of exploitation. CISA’s SSVC (Stakeholder-Specific Vulnerability Categorization) adds decision-tree logic, considering factors like active exploitation and mission impact.

Yet adoption remains slow. Many organizations still treat CVSS as gospel, despite its known limitations.

The Rise of the Exploit Chain: A New Era of Cyber Warfare

Attack chains are not new, but their sophistication is accelerating. In 2023, the MOVEit Transfer breach used a similar two-step exploit: a deserialization flaw (CVE-2023-34362) followed by privilege escalation. That attack compromised over 2,600 organizations and exposed the data of more than 85 million people.

What’s changing is the speed and automation of chain exploitation. Attackers now use AI and machine learning to identify and combine vulnerabilities at scale. They don’t wait for patches—they strike within hours of disclosure.

Operation Lunar Peek was a wake-up call. It showed that even well-defended networks can fall if their risk models are outdated. Firewalls, once considered impenetrable fortresses, became backdoors when their management interfaces were exposed and their vulnerabilities chained.

Beyond CVSS: Building a Context-Aware Defense

The solution isn’t to abandon CVSS—it’s to augment it. Security teams must adopt a layered approach that combines:

• EPSS to predict which vulnerabilities are likely to be exploited.
• SSVC to prioritize based on mission impact and stakeholder needs.
• Threat intelligence to understand adversary tactics.
• Asset criticality mapping to focus on high-value targets.

At Paramount, Chronis implemented a system where vulnerabilities were scored not just by CVSS, but by exploit availability, active threats, and business impact. This allowed his team to patch the right flaws first—not just the highest-scoring ones.

Similarly, organizations should conduct attack surface modeling to identify potential chains. If a low-severity flaw can be combined with another to achieve root access, it should be treated as critical.

The Future of Vulnerability Management: From Scores to Stories

The Palo Alto breach wasn’t just a technical failure—it was a narrative failure. Security teams told a story of isolated risks, while attackers wrote a story of interconnected exploits. To win, defenders must learn to tell better stories.

That means shifting from score-based triage to scenario-based planning. Instead of asking, “What’s the CVSS score?” ask, “What could happen if this flaw is chained with others?” Instead of patching by number, patch by narrative.

FIRST and CISA are moving in this direction. EPSS and SSVC are steps toward a more intelligent, context-aware model. But the real change must come from organizations themselves—from CISOs, SOC analysts, and board members who demand better risk visibility.

Conclusion: The Illusion of Control

Operation Lunar Peek was a stark reminder that cybersecurity is not a numbers game. A 6.9 and a 9.3, when chained, became a 10.0 threat. CVSS gave us a map, but it didn’t show the terrain. It told us about individual trees, but not the forest fire.

The path forward requires humility, innovation, and a willingness to question long-held assumptions. We must move beyond the illusion of control that CVSS provides and embrace models that reflect the complexity of modern attacks.

As the number of CVEs climbs toward 70,000 per year, the cost of inaction will only grow. The next Lunar Peek is not a matter of if, but when. The question is: will we be ready?

This article was curated from CVSS scored these two Palo Alto CVEs as manageable. Chained, they gave attackers root access to 13,000 devices. via VentureBeat