Palo Alto Networks PAN-OS Command Injection Vulnerability

CVE-2024-3400
10CRITICAL

Key Information

Vendor
Palo Alto Networks
Status
Pan-os
Cloud Ngfw
Prisma Access
Vendor
CVE Published:
12 April 2024

Badges

🔥 No. 1 Trending😄 Trended👾 Exploit Exists🔴 Public PoC🟣 EPSS 96%📰 News Worthy

Summary

A critical command injection vulnerability (CVE-2024-3400) is being exploited in Palo Alto Networks' firewalls, allowing attackers to execute arbitrary code with root privileges. This affects GlobalProtect feature in PAN-OS versions 10.2, 11.0, and 11.1, but not Panorama appliances, Cloud NGFW, and Prisma Access solutions. Hotfixes are expected to be released soon, and customers are urged to implement temporary mitigations and check for compromise. The exploitation of this vulnerability is reported to be automated, and customers with a Threat Prevention subscription can block attacks using a specific tool (Threat ID 95187).It is advised to disable device telemetry until the hotfix is applied. Customers are also urged to check their firewall web interface to see if the GlobalProtect gateway is configured and to verify whether device telemetry has been enabled.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-3400 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions as they become available. Otherwise, users with vulnerable versions of affected devices should enable Threat Prevention IDs available from the vendor. See the vendor bulletin for more details and a patch release schedule.

Affected Version(s)

PAN-OS >= 9.0.0

PAN-OS >= 9.1.0

PAN-OS >= 10.0.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-3400
Created by h4x0r-dz

CVE-2024-3400
Created by W01fh4cker

CVE-2024-3400
Created by ak1t4

News Articles

favicon imageSC Media

6.2K Palo Alto firewalls still at risk as exploits increase

Proof-of-concept exploits for CVE-2024-3400 are now publicly available.

1 month ago

favicon imagePalo Alto Networks

Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 (Updated May 20)

We detail Operation MidnightEclipse, a campaign exploiting command injection vulnerability CVE-2024-3400, and include protections and mitigations.

4 months ago

favicon imageSC Media

Palo Alto Networks PAN-OS critical 0-day exploited; hotfixes available

The max severity (CVSS 10) bug enables command injection through the GlobalProtect feature.

5 months ago

EPSS Score

96% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 🔥

    Vulnerability reached the number 1 worldwide trending spot.

  • Risk change from: 9.8 to: 10 - (CRITICAL)

  • Vulnerability started trending.

  • Initial publication

  • First article discovered by SecurityWeek

  • Vulnerability published.

  • Vulnerability Reserved.

  • 👾

    Exploit exists.

Collectors

NVD DatabaseMitre DatabaseCISA Database8 Proof of Concept(s)50 News Article(s)

Credit

Palo Alto Networks thanks Volexity for detecting and identifying this issue.
Capability Development Group at Bishop Fox for helping us verify the fixes and improve threat prevention signatures.
.