An estimated 22,500 Palo Alto GlobalProtect firewall devices are potentially susceptible to the critical CVE-2024-3400 flaw, a command injection vulnerability that allows unauthenticated attackers to execute commands with root privileges. This vulnerability has been actively exploited since March 26, 2024, according to security researchers.
CVE-2024-3400 impacts specific versions of Palo Alto Networks' PAN-OS in the GlobalProtect feature. The flaw enables attackers to inject commands through arbitrary file creation. Palo Alto Networks disclosed the vulnerability on April 12 and urged system administrators to apply mitigations immediately, promising that patches would soon follow.
Patches for the affected PAN-OS versions were rolled out between April 14 and April 18, 2024. However, initial mitigation strategies such as disabling telemetry were found ineffective, leaving full patching as the only reliable solution to mitigate the risk.
The flaw's exploitation came to light when researchers at Volexity observed state-backed actors, identified as 'UTA0218,' using the vulnerability to deploy a custom backdoor named 'Upstyle' in targeted systems. This discovery underscored the severity of the threat posed by the CVE-2024-3400 vulnerability.
Further compounding the issue, technical details and a proof-of-concept exploit were made publicly available earlier this week, demonstrating the ease with which unauthenticated attackers could gain root access on unpatched systems. This disclosure has spurred a wave of attacks from various threat actors, as confirmed by Greynoise’s increase in unique IP addresses attempting to exploit the vulnerability.
Despite the critical nature of this security flaw and the availability of patches, the ShadowServer Foundation's threat monitoring service reported that as of April 18, 2024, approximately 22,500 devices are still "possibly vulnerable." This was further supported by findings from threat researcher Yutaka Sejiyama, who last Friday reported a staggering 82,000 vulnerable firewalls, suggesting that about 73% of all exposed PAN-OS systems had been patched within a week of the vulnerability's public disclosure.
With the exploit now widely available and actively being used, administrators of unpatched systems are strongly advised to immediately apply the security patches provided by Palo Alto Networks. The company has continuously updated its security advisory with new information and guidance on how to detect and mitigate suspicious activities related to this vulnerability.