chained CVEs – Misryoum breaks down why two Palo Alto CVEs scored differently under CVSS—and how chaining turned “manageable” flaws into root access for 13,000 devices.
Cybersecurity teams have long leaned on CVSS scores to decide what to patch first. Misryoum’s latest coverage shows the danger of treating those numbers like a complete story, especially when attackers chain vulnerabilities together.
During Operation Lunar Peek in November 2024. attackers obtained unauthenticated remote admin access and ultimately root access across more than 13. 000 exposed Palo Alto Networks management interfaces.. The striking part isn’t only the scale—it’s how the two linked issues were assessed when they were scored.
Palo Alto Networks assigned CVE-2024-0012 a CVSS v4.0 base score of 9.3 and CVE-2024-9474 a 6.9.. Under CVSS v3.1, the same pair landed at 9.8 and 7.2 in NVD scoring.. The differences are familiar to anyone who has tracked CVSS across versions. but the operational takeaway is more uncomfortable: the lower-scored element appeared to miss practical patch urgency because admin access seemed like a prerequisite.
That prerequisite assumption is exactly what chaining breaks.. CVE-2024-0012 bypassed authentication. removing the “admin access required” gating factor that made CVE-2024-9474 look less urgent on its own.. Put plainly: each vulnerability looked manageable in isolation. and then the attacker stitched them into a path that neither score alone described.
Misryoum also emphasizes why this is more than a scoring dispute.. Adam Meyers of CrowdStrike argued that adversaries exploit what security teams don’t model—compound effects that turn separate weaknesses into one end-to-end takeover.. In his framing. the triage logic effectively suffered from “amnesia. ” treating each CVE as an independent incident rather than as potential steps in the same intrusion chain.
This gap is showing up at the same time the vulnerability pipeline is expanding fast enough to strain even mature programs.. In 2025, 48,185 CVEs were disclosed, a reported year-over-year rise of 20.6%, and forecasts point higher still for 2026.. NIST has highlighted that CVE submissions have surged since 2020. pushing the enrichment workload and forcing prioritization focus around known exploited vulnerabilities and federal critical software.. When the volume grows, triage models that work “well enough” under old conditions start to look fragile.
Misryoum readers may be asking a practical question: if CVSS has limitations. what do teams do differently tomorrow morning—not after a breach?. The answer is that CVSS can remain useful, but it can’t be the single decision layer.. The piece of the process that needs strengthening is the linkage work: identifying how vulnerabilities interact with each other. with exposure types. and with real attacker workflows.
Misryoum connects the Palo Alto case to a broader pattern seen in recent threat reporting: faster exploitation windows and quicker weaponization of newly patched weaknesses.. The core idea is that defenders used to imagine “Patch Tuesday” as a predictable cadence; adversaries increasingly treat the time between patch release and adversary testing like an operational opportunity.. That compresses the window in which triage queues can afford to be conservative.
There’s also a second blind spot that CVSS doesn’t naturally cover: identity and process failures.. If an attacker can call a help desk. bypass human verification. or exploit gaps in authentication—no software CVE may exist to generate a score. and no patch workflow gets created.. Misryoum’s coverage notes concerns that agentic AI systems introduce their own identity surface—credentials. tokens. and permission scopes—that can sit outside the governance that normally routes software vulnerabilities into remediation pipelines.
Finally, the discovery and reporting pipeline itself is becoming a bottleneck.. The more automation finds and generates vulnerabilities. the harder it becomes for enrichment and triage systems to keep up at scale.. Misryoum’s takeaway is simple: even well-designed prioritization breaks if it’s overwhelmed by throughput that the pipeline was never sized for.
So what should defenders do?. Misryoum recommends five concrete moves that target the exact failure pattern highlighted by chained CVEs: audit chain dependencies for known exploited vulnerabilities; triage co-resident weaknesses as a unit when one undermines the assumptions of another; compress remediation timelines for internet-facing exposure; track “KEV aging” so unpatched known items don’t linger for a year with no board-level accountability; and bring identity-surface issues into the same reporting and SLA framework as software flaws.. Put together. the goal is to stop being surprised when attackers stop playing the “single bug. single fix” game—and start treating security triage like it has to understand sequences. not just scores.