In Belgium, 33 Palo Alto firewalls are still active and have a zero-day leak that is being actively exploited by hackers. There are 103 still online in the Netherlands, four in Luxembourg and 98 in France.

The zeroday is present in the PAN-OS 10.2, PAN-OS 11.0 and/or PAN-OS 11.1 software of the Palo Alto firewalls. The CVE-2024-3400 vulnerability was rated maximum severity but has since been patched by Palo Alto Networks. Previously, customers could mitigate risk by disabling telemetry. It now appears that this technology is not waterproof. Patching is therefore the only option.

On the Shadowserver detection map we see that 33 vulnerable firewalls are still online in Belgium today. In the Netherlands there are 103, in Luxembourg 3 and in France 98.

DVE-2024-300 consists of two flaws. Successful exploitation of the first flaw alone would result in the creation of an empty file with a specific filename. However, if the second flaw is exploited, attackers can steal sensitive information or deploy malware.

It is extremely important to patch quickly. A study shows that zero-day is being massively abused by (state-run) hackers as soon as the proof-of-concept code is published.

If you have a potentially vulnerable Palo Alto firewall in your organization, we recommend you follow this comprehensive guide the brand created.