Palo Alto Networks has began releasing hotfixes for a zero-day vulnerability that has been actively exploited since March twenty sixth to backdoor PAN-OS firewalls.
This most severity safety flaw (CVE-2024-3400)Â impacts PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with machine telemetry and GlobalProtect (gateway or portal) enabled.
Unauthenticated menace actors can exploit it remotely to realize root code execution by way of command injection in low-complexity assaults that do not require person interplay.
“Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability,” the corporate warned on Friday when it disclosed the zero-day.
The corporate has now mounted the safety flaw in hotfix releases issued for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3. Extra hotfixes can be rolled out for later PAN-OS variations within the coming days.
Based on Palo Alto Networks’ advisory, Cloud NGFW, Panorama home equipment, and Prisma Entry usually are not uncovered to assaults by way of this vulnerability.
Admins nonetheless ready for a hotfix can disable the machine telemetry function on weak units till a patch is deployed. These with an energetic ‘Risk Prevention’ subscription can even block ongoing assaults by activating ‘Risk ID 95187’ menace prevention-based mitigation.
Exploited to backdoor firewalls since March
Palo Alto Networks’ warning of energetic exploitation was confirmed by safety agency Volexity, which found the zero-day flaw and detected menace actors utilizing it to backdoor PAN-OS units utilizing Upstyle malware, breach networks, and steal knowledge.
Volexity is monitoring this malicious exercise beneath UTA0218 and believes that state-sponsored menace actors are seemingly behind these ongoing assaults.
“At the time of writing, Volexity was unable to link the activity to other threat activity,” Volexity stated on Friday.
“Volexity assesses that it is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks.”
Risk researcher Yutaka Sejiyama revealed on Friday that he discovered over 82,000 PAN-OS units uncovered on-line and weak to CVE-2024-34000 assaults, 40% in the US.
CISA has added CVE-2024-3400 to its Identified Exploited Vulnerabilities (KEV) catalog, ordering federal companies to safe their units by making use of the menace mitigation rule or disabling the telemetry inside per week by April nineteenth.