2 min

A critical vulnerability in Palo Alto Networks’ PAN-OS firewall software is actively exploited and used for attacks. The vulnerability was discovered as early as April 10, but tens of thousands of active firewalls were eventually found to be vulnerable. Updating to the latest version is the urgent advice for users.

The flaw allows malicious actors in compromised systems to execute arbitrary code as root through code injection. The OS versions that are vulnerable are PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1. For the exploit to work, GlobalProtect gateway or GlobalProtect portal (or both) must be active, as well as telemetry. The vulnerability has been assigned code CVE-2024-3400 and a CVSS score of 10.

Abused as zero-day since last month

The exploit allows attackers to install Upstyle malware to infiltrate internal networks and capture data. Hotfixes released by Palo Alto Networks should secure the exposed firewalls. However the vulnerability has been exploited as a zero-day since March 26 by a malicious group known as UTA0218. It probably involves a so-called state-sponsored actor. Cybersecurity firm Volexity discovered the vulnerability on April 10.

More than 156,000 PAN-OS firewalls are online daily, 82,000 of which are vulnerable to the exploit, BleepingComputer reports. These firewalls are primarily located in the United States.

The exploit presumably involves a Python-based backdoor hosted on another server, according to The Hacker News. It appears that files used to execute rogue commands are legitimate files associated with the firewall. That would possibly be a way to bypass detection.

Security specialist watchTowr Lab, which specializes in mimicking the methods of malicious actors, published a comprehensive analysis of the exploit and produced a proof-of-concept showing that attackers can execute shell commands on unpatched firewalls.

Widely used by U.S. government agencies

Notably, several U.S. government agencies use the PAN-OS for classified networks. The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) has added the exploit to its known vulnerability catalogue. That requires U.S. federal (national) agencies to secure affected systems within seven days.

Palo Alto Networks sees updating to the latest PAN-OS version as the most effective solution. Previous measures, such as disabling telemetry, are now considered ineffective. Furthermore, users with an active Threat Prevention subscription can block ongoing attacks by activating ‘Threat ID 95187 mitigation.

Also read: Spyware industry develops most zero-days and governments promote it