In-the-wild exploitation of Palo Alto PAN-OS 10.2, 11.0, and 11.1 has been observed. This does not affect GlobalProtect gateway or GlobalProtect Portal. This also does not affect cloud firewalls (Cloud NGFW), Panorama appliances or Prisma Access
A command injection vulnerability enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall, and has been assigned CVE-2024-3400. This issue is fixed in hotfix releases PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3 and all later PAN-OS versions. Hotfixes for other versions can be found from the Palo Alto advisory link below. Customers with a Threat Prevention subscription can block this by enabling THREAD ID 95187, and applying Vulnerability Protection to GlobalProtect interfaces.
- Further reading: https://nvd.nist.gov/vuln/detail/CVE-2024-3400
- Palo Alto advisory: https://security.paloaltonetworks.com/CVE-2024-3400
- Applying vulnerability protection: https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184
This activity has currently been attributed to a single threat actor, however with the vulnerability being publicly announced it is likely that other groups will capitalize on organizations that are slow to patch. We recommend patching these devices is made a priority,
Our threat hunting team has been informed and is actively investigating for signs of compromise of this threat. The CyberMaxx team is continuing to monitor this situation and is working to keep your network safe.