Critical Palo Alto Networks PAN-OS Flaw Under Active Attack

Palo Alto Networks is warning that a critical flaw impacting PAN-OS software used in its GlobalProtect gateways is being actively exploited in the wild.

Tracked as CVE-2024-3400, the issue has a CVSS score of 10.0, indicating maximum severity.

“A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall,” the company said in an advisory published today.

The flaw impacts the following versions of PAN-OS, with fixes expected to be released on April 14, 2024 –

• PAN-OS < 11.1.2-h3
• PAN-OS < 11.0.4-h1
• PAN-OS < 10.2.9-h1

The company also said that the issue is applicable only to firewalls that have the configurations for both GlobalProtect gateway (Network > GlobalProtect > Gateways) and device telemetry (Device > Setup > Telemetry) enabled.

Threat intelligence and incident response company Volexity has been credited with discovering and reporting the bug.

While there are no other technical details about the nature of the intrusions or the identity of threat actors behind them, Palo Alto Networks acknowledged that it’s “aware of a limited number of attacks that leverage the exploitation of this vulnerability.”

In the interim, it’s recommending customers with a Threat Prevention subscription to enable Threat ID 95187 to secure against the threat.

The development comes as Chinese threat actors have increasingly relied on zero-day flaws impacting Barracuda Networks, Fortinet, Ivanti, and VMware to breach targets of interest and deploy covert backdoors for persistent access.