Critical Vulnerability Alert: Palo Alto Firewalls at Risk from CVE-2024–3400 Exploits

Around 22,500 Palo Alto GlobalProtect firewall devices have been exposed to a critical vulnerability known as CVE-2024–3400. This flaw allows attackers to execute commands with root privileges through command injection, posing a significant security risk. The vulnerability has been actively exploited by threat actors since at least March 26, 2024.

Palo Alto Networks disclosed the flaw on April 12, urging system administrators to implement provided mitigations immediately. However, the only permanent solution is to apply the security patches, which were released between April 14 and 18, 2024, depending on the PAN-OS version.

Researchers from Volexity discovered that state-backed threat actors known as ‘UTA0218’ used the exploit to deploy a custom backdoor named ‘Upstyle.’ Recently, technical details and a proof-of-concept exploit were shared publicly, enabling more threat actors to conduct attacks.

Greynoise’s scanners detected increased exploitation of the vulnerability, with numerous unique IP addresses attempting to exploit it. Despite efforts to mitigate the risk, approximately 22,500 instances remain “possibly vulnerable” as of April 18, 2024.

The majority of these devices are located in the United States, followed by Japan, India, Germany, the UK, Canada, Australia, and France. Recent reports indicate that over 156,000 PAN-OS firewall instances are exposed on the internet, but the exact number vulnerable to CVE-2024–3400 is unclear.

Threat researcher Yutaka Sejiyama conducted scans revealing that around 82,000 firewalls were vulnerable to the flaw. This suggests that approximately 73% of exposed PAN-OS systems were patched within a week.

System administrators who have not yet taken action are advised to follow the recommendations in the Palo Alto security advisory, which is regularly updated with new information and instructions for identifying and addressing suspicious activity.

Happy Hunting!

— j1nx