However, keeping the management console away from public access isn’t a foolproof solution. Palo Alto warns that even if you’ve limited access to the console to a restricted set of internal IP addresses, unpatched systems remain vulnerable, although the risk was “greatly reduced.”

Exposing management consoles to the internet is a known risk. Security vendors strongly advise against it unless absolutely necessary, though it remains a “challenge” for some, as one vendor politely told us. Some admins expose the consoles to the public internet as it eases remote management chores, and hope security through obscurity protects them

PAN declined to specify how many customers are affected, but historically, most users keep their management interfaces private. Still, even those with restricted access must patch to stay secure.

I am sort of assuming that stuff about “greatly reduced” means, if an attacker can get into one of the systems on your network, there’s about a 90% chance that they can then access the management port on the router from the “friendlies” side of it, and with access to the router they can greatly increase their invasiveness if they are a motivated attacker.