Beyond the Score: How Chained Vulnerabilities Bypass Traditional Security

In the ever-evolving landscape of cybersecurity, a concerning trend is emerging: attackers are becoming adept at chaining together seemingly minor vulnerabilities to achieve devastating results. A recent incident involving Palo Alto Networks devices, dubbed Operation Lunar Peek, serves as a stark reminder that individual vulnerability scores can be misleading, and a holistic approach to security is more critical than ever.

The Palo Alto Networks Breach: A Case Study in Chaining Vulnerabilities

Operation Lunar Peek, which took place in November 2024, saw threat actors gain unauthenticated remote administrative access, and ultimately root control, over more than 13,000 exposed Palo Alto Networks management interfaces. The severity of this breach was initially masked by the way individual vulnerabilities were scored. Specifically, CVE-2024-0012, an authentication bypass, and CVE-2024-9474, a privilege escalation flaw, were assessed separately.

Under CVSS v4.0, CVE-2024-0012 received a score of 9.3, while CVE-2024-9474 was rated 6.9. Even under the older CVSS v3.1, the scores were 9.8 and 7.2, respectively. While a score of 6.9 might fall below the immediate patching threshold for many organizations, especially if administrative access was assumed to be a prerequisite, the higher score of 9.3/9.8 was likely seen as a manageable risk, queued for routine maintenance. The critical flaw? These assessments treated each vulnerability in isolation, failing to account for their combined impact.

As Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, aptly stated, "Adversaries circumvent [severity ratings] by chaining vulnerabilities together." In this case, the authentication bypass (CVE-2024-0012) effectively removed the prerequisite for the privilege escalation vulnerability (CVE-2024-9474), transforming two moderately concerning issues into a critical exploit chain. Both vulnerabilities are now on the CISA Known Exploited Vulnerabilities (KEV) catalog, but their initial low combined impact masked the impending danger.

Why CVSS Alone Isn't Enough

The Common Vulnerability Scoring System (CVSS) is a valuable tool for assessing the inherent severity of a vulnerability. However, as the Palo Alto Networks incident highlights, it has limitations. CVSS base scores are theoretical and don't always account for real-world context, such as how vulnerabilities can be chained together or the probability of exploitation by sophisticated actors.

Peter Chronis, former CISO of Paramount, noted that moving beyond a CVSS-first prioritization strategy at Paramount led to a 90% reduction in actionable critical and high-risk vulnerabilities. Chris Gibson, executive director of FIRST (the organization that maintains CVSS), has also emphasized that relying solely on CVSS base scores is "the least apt and accurate" method for prioritization. Tools like FIRST's Exploit Prediction Scoring System (EPSS) and CISA's Security Vulnerability Management Decision Support (SSVC) model aim to bridge this gap by incorporating exploitation probability and decision-tree logic.

The Growing Threat Landscape: Five Triage Failures

The increasing volume of disclosed vulnerabilities, projected to exceed 70,000 in 2026, is overwhelming existing security infrastructure. NIST has already begun prioritizing enrichment for KEV and federal critical software only. This escalating challenge is exacerbated by several factors:

• Chained CVEs: As seen with Palo Alto Networks, vulnerabilities that appear manageable in isolation can become critical when combined. The triage logic often fails to identify these dependencies.
• Nation-State Adversaries Weaponizing Patches: Attackers are now exploiting newly patched vulnerabilities within days, sometimes even hours, of their disclosure. The traditional "Patch Tuesday" model is no longer sufficient.
• Stockpiled CVEs: Advanced persistent threat (APT) groups can hold onto vulnerabilities for extended periods, waiting for the opportune moment to strike, as demonstrated by Salt Typhoon's exploitation of unpatched Cisco devices.
• Identity Gaps: Vulnerabilities outside the traditional CVE system, such as social engineering attacks targeting help desks or the misuse of AI agent credentials, can lead to significant breaches and are often overlooked by scoring systems.
• AI-Accelerated Discovery: The rise of AI in vulnerability discovery means that the rate at which new vulnerabilities are found could soon outpace the ability of organizations to patch them, potentially leading to an unmanageable influx of exploits.

A Proactive Security Director's Action Plan

To combat these evolving threats, security leaders need to adopt a more proactive and contextual approach:

• Chain-Dependency Audits: Conduct thorough audits of all KEV CVEs to identify potential chaining opportunities with other vulnerabilities, prioritizing any combination that bypasses authentication and escalates privileges.
• Accelerated Patching SLAs: Compress Service Level Agreements (SLAs) for patching internet-facing systems to 72 hours, given the rapid exploitation window observed by nation-state actors.
• KEV Aging Reports: Implement monthly reports for the board that track unpatched KEV CVEs, including days since disclosure, patch availability, and owner, to highlight aging exposure risks.
• Integrate Identity Controls: Incorporate identity-related security gaps, such as help desk authentication weaknesses and AI agent credentials, into the overall vulnerability reporting pipeline.
• Stress-Test Pipeline Capacity: Regularly test the vulnerability management pipeline's capacity against projected increases in CVE volume, including AI-driven discovery, and communicate any potential gaps to financial stakeholders before a breach occurs.

The security landscape is becoming increasingly complex, and relying solely on static vulnerability scores is no longer a viable strategy. By understanding the nuances of chained exploits, the speed of modern threats, and the evolving attack vectors, organizations can build more resilient and effective security defenses.