Hackers root multiple corporate networks based on a zero-day vulnerability in a Palo Alto Networks firewall product.

Security firm Volexity on April 10 identified a zero-day exploit of a vulnerability found in Palo Alto Networks’ GlobalProtect network security monitoring functionality at one of its customers. The CVE-2024-3400 vulnerability has been rated as highest severity by Palo Alto Networks and has yet to be patched. Until then, the company is offering affected customers a temporary solution.

CVE-2024-3400

The CVE-2024-3400 vulnerability has been actively exploited for at least two weeks and allows hackers to execute malicious code without authentication. The vulnerability has therefore resulted in a maximum severity rating of 10.0.

The zero-day is present in the PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls when they are configured to use both the GlobalProtect gateway and device telemetry. Palo Alto Networks has yet to patch the vulnerability, but recommends customers follow some guidelines that provide a workaround.

Capable attackers

The security company that spotted the zero-day attack has not yet been able to link the attackers to previously known groups, Veloxity reports. They are considered “highly qualified” by the company and are likely to receive government support. There is currently only one threat group, called UTA0218, that exploits the vulnerability for limited attacks. According to Veloxity, once the vulnerability is detected by multiple groups, it can be exploited by multiple threat groups.