Palo Alto Networks Addresses Actively Exploited Zero-Day Vulnerability in PAN-OS Firewalls

April 15, 2024

Palo Alto Networks has begun issuing hotfixes for a high-risk zero-day vulnerability, known as CVE-2024-3400, that has been exploited since March 26th to insert backdoors into PAN-OS firewalls. This vulnerability affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls that have device telemetry and GlobalProtect enabled. Threat actors can exploit this flaw remotely without authentication to achieve root code execution via command injection in low-complexity attacks that do not necessitate user interaction.

"Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability," the company disclosed when it revealed the zero-day. The corporation has now remedied the security flaw in hotfix releases for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3. Additional hotfixes for later PAN-OS versions will be released in the upcoming days.

According to the advisory from Palo Alto Networks, Cloud NGFW, Panorama appliances, and Prisma Access are not at risk from this vulnerability. Administrators who are still awaiting a hotfix can deactivate the device telemetry feature on vulnerable devices until a patch is implemented. Those with an active 'Threat Prevention' subscription can also halt ongoing attacks by enabling 'Threat ID 95187', a threat prevention-based mitigation.

Volexity, the security firm that discovered the zero-day flaw, confirmed the active exploitation of this vulnerability. It detected threat actors using it to backdoor PAN-OS devices with Upstyle malware, infiltrate networks, and exfiltrate data. Volexity is monitoring this malicious activity under UTA0218 and believes that state-sponsored threat actors are probably behind these ongoing attacks.

"At the time of writing, Volexity was unable to link the activity to other threat activity," Volexity stated. "Volexity assesses that it is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks."

Yutaka Sejiyama, a threat researcher, disclosed that he discovered more than 82,000 PAN-OS devices exposed online and vulnerable to CVE-2024-34000 attacks, with 40% located in the United States. CISA has included CVE-2024-3400 in its Known Exploited Vulnerabilities (KEV) catalog, instructing federal agencies to secure their devices by implementing the threat mitigation rule or deactivating the telemetry within a week by April 19th.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.