Skip to main content
close search
site logo
Dive Brief

Palo Alto Networks fixes maximum severity, exploited CVE in firewalls

The security vendor said a “limited number of attacks” were linked to the exploited vulnerability. Volexity observed exploits dating back to March 26.

Published April 16, 2024
Matt Kapko's headshot
Senior Reporter
Palo Alto Networks
Cybersecurity professionals assemble for a presentation at Palo Alto Networks' booth on the show floor on April 27, 2023 at the RSA Conference in San Francisco. Matt Kapko/Cybersecurity Dive

Dive Brief:

  • Palo Alto Networks released patches for an actively exploited zero-day vulnerability in its PAN-OS operating system, which runs some of the security vendor’s firewalls. The company disclosed the vulnerability on Friday and issued initial patches on Sunday, according to a security advisory.
  • The command injection vulnerability, CVE-2024-3400, allows an unauthenticated attacker to execute arbitrary code with root privileges, Palo Alto Networks’ Unit 42 said Friday in a threat brief. Palo Alto Networks assigned the vulnerability a CVSS score of 10, the maximum severity of a vulnerability.
  • The company said it’s “aware of a limited number of attacks that leverage the exploitation of this vulnerability.” Threat intelligence firm Volexity, which initially discovered the zero-day exploits on April 10, later determined successful exploitation across multiple customer environments began as early as March 26. 

Dive Insight:

The vulnerability, which was already exploited for at least two weeks prior to Volexity’s discovery, affects some PAN-OS firewalls configured with the GlobalProtect gateway or portal and device telemetry.

After exploitation, the attacker established persistence and executed a variety of commands on the compromised device, according to Volexity. In one instance, the attacker used a highly privileged service account on the Palo Alto Networks firewall device to pivot into the internal network, where they targeted the Active Directory database, key data and Windows event logs.

“The attacker also stole login data, cookies and local state data for Chrome and Microsoft Edge from specific targets,” Volexity researchers said. “With this data, the attacker was able to grab the browser master key and decrypt sensitive data, such as stored credentials.”

The Cybersecurity and Infrastructure Security Agency added CVE-2024-3400 to its known exploited vulnerabilities catalog on Friday.

Palo Alto Networks attributed the zero-day exploits to a group it identifies as Operation MidnightEclipse, but the company warned that additional attackers may also attempt to exploit the vulnerability. Palo Alto Networks did not respond to a request for comment.

It is highly likely a nation state is backing the group “based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks,” Volexity researchers said.

The exploits and resulting exposure marks yet another string of attacks targeting network devices and security hardware in enterprise environments. Financially-motivated and nation-state linked attackers widely exploited vulnerabilities in devices sold by Citrix, Ivanti and Barracuda during the last year.

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Breaches
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell