Ongoing Attacks Target 22,500 Palo Alto Firewalls Vulnerable to CVE-2024-3400

April 19, 2024

Approximately 22,500 Palo Alto GlobalProtect firewall devices are potentially vulnerable to the CVE-2024-3400 flaw. This critical command injection vulnerability has been actively exploited in attacks since late March 2024. The flaw impacts specific versions of Palo Alto Networks' PAN-OS in the GlobalProtect feature and allows unauthenticated attackers to execute commands with root privileges.

Palo Alto Networks disclosed the flaw on April 12, 2024, and urged system administrators to apply mitigations until a patch was available. Patches were released between April 14 and 18, 2024, leaving devices exposed for two to six days post-disclosure. However, it was later revealed that Palo Alto's mitigation of disabling telemetry would not protect devices. The only solution was to apply the security patches.

State-backed threat actors known as 'UTA0218' exploited the flaw to infect systems with a custom backdoor named 'Upstyle.' Technical details and a proof-of-concept exploit for CVE-2024-3400 were shared by researchers, showing how easily unauthenticated attackers could execute commands as root on unpatched devices. This information has enabled numerous threat actors to launch their own attacks.

The increased exploitation of the flaw has been confirmed by Greynoise's scanners, which have detected a rise in unique IP addresses attempting to exploit the CVE-2024-3400 flaw. Despite the urgency, the ShadowServer Foundation's threat monitoring service reported that there are still roughly 22,500 instances that are 'possibly vulnerable' as of April 18, 2024.

The majority of the devices are in the United States, followed by Japan, India, Germany, the UK, Canada, Australia, and France. Shadow Server reported over 156,000 PAN-OS firewall instances exposed on the internet without discerning how many of those might be vulnerable to attacks. Independent threat researcher Yutaka Sejiyama conducted his own scans and reported observing 82,000 firewalls, which he claimed were vulnerable to CVE-2024-34000. If his estimations were accurate, about 73% of all exposed PAN-OS systems were patched within a week.

The Palo Alto security advisory, which has been updated several times with new information and instructions on hunting for suspicious activity, provides recommended actions for those who haven't taken any action.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.