Ongoing Attacks Target 22,500 Palo Alto Firewalls Vulnerable to CVE-2024-3400

April 19, 2024

Approximately 22,500 Palo Alto GlobalProtect firewall devices are potentially vulnerable to the CVE-2024-3400 flaw. This critical command injection vulnerability has been actively exploited in attacks since late March 2024. The flaw impacts specific versions of Palo Alto Networks' PAN-OS in the GlobalProtect feature and allows unauthenticated attackers to execute commands with root privileges.

Palo Alto Networks disclosed the flaw on April 12, 2024, and urged system administrators to apply mitigations until a patch was available. Patches were released between April 14 and 18, 2024, leaving devices exposed for two to six days post-disclosure. However, it was later revealed that Palo Alto's mitigation of disabling telemetry would not protect devices. The only solution was to apply the security patches.

State-backed threat actors known as 'UTA0218' exploited the flaw to infect systems with a custom backdoor named 'Upstyle.' Technical details and a proof-of-concept exploit for CVE-2024-3400 were shared by researchers, showing how easily unauthenticated attackers could execute commands as root on unpatched devices. This information has enabled numerous threat actors to launch their own attacks.

The increased exploitation of the flaw has been confirmed by Greynoise's scanners, which have detected a rise in unique IP addresses attempting to exploit the CVE-2024-3400 flaw. Despite the urgency, the ShadowServer Foundation's threat monitoring service reported that there are still roughly 22,500 instances that are 'possibly vulnerable' as of April 18, 2024.

The majority of the devices are in the United States, followed by Japan, India, Germany, the UK, Canada, Australia, and France. Shadow Server reported over 156,000 PAN-OS firewall instances exposed on the internet without discerning how many of those might be vulnerable to attacks. Independent threat researcher Yutaka Sejiyama conducted his own scans and reported observing 82,000 firewalls, which he claimed were vulnerable to CVE-2024-34000. If his estimations were accurate, about 73% of all exposed PAN-OS systems were patched within a week.

The Palo Alto security advisory, which has been updated several times with new information and instructions on hunting for suspicious activity, provides recommended actions for those who haven't taken any action.

Related News

• Exploit Code Released for Critical PAN-OS Vulnerability, Immediate Patching Urged
• CISA Adds Critical Palo Alto Networks PAN-OS Flaw to Known Exploited Vulnerabilities Catalog
• Palo Alto Networks Addresses Actively Exploited Zero-Day Vulnerability in PAN-OS Firewalls
• State-Sponsored Hackers Exploit Palo Alto Networks Zero-Day Since March to Infiltrate Firewalls
• Palo Alto Networks Alert: Active Exploitation of Zero-Day Vulnerability in PAN-OS Firewall

Latest News

• MITRE Corporation's Network Breached by State-Backed Hackers Using Ivanti Zero-Days
• Active Exploitation of OpenMetadata Vulnerabilities in Kubernetes Clusters
• Cisco Reveals High-Severity IMC Vulnerability with Available Public Exploit Code
• Multiple Botnets Targeting TP-Link Routers Exploiting Year-Old Security Flaw
• Critical Atlassian Vulnerability Exploited to Deploy Cerber Ransomware