Zero-Day Vulnerability in Palo Alto Networks Firewalls Under Active Exploitation

Security researchers have discovered a highly dangerous zero-day vulnerability in Palo Alto Networks firewalls that has been under active exploitation for the last two weeks. The vulnerability, identified as CVE-2024-3400, allows hackers to gain root privileges on affected devices with no authentication required, making it a highly critical issue.

The zero-day vulnerability affects PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls when they are configured to use both the GlobalProtect gateway and device telemetry. Palo Alto Networks has yet to patch the vulnerability but is urging affected customers to follow a workaround and mitigation guidance provided by the company.

The vulnerability was discovered by Volexity, a security firm that found evidence of ongoing attacks targeting firewalls, VPNs, and file-transfer appliances. These devices are popular targets due to their wealth of vulnerabilities and direct pipeline into the most sensitive parts of a network. The zero-day is being actively exploited by a single threat group tracked as UTA0218, but Volexity warns that other groups may also discover the vulnerability and begin exploiting it soon.

The attacks were first observed on March 26, with the attackers placing zero-byte files on firewall devices to validate exploitability. On April 7, the researchers observed the group attempting to install a backdoor on a customer’s firewall, and three days later, the group successfully deployed malicious payloads. The backdoor allows the attackers to use specially crafted network requests to execute additional commands on hacked devices.

Volexity warns that as with previous public disclosures of vulnerabilities in these kinds of devices, a spike in exploitation is likely to be observed over the next few days by UTA0218 and potentially other threat actors who may develop exploits for this vulnerability. It is therefore imperative that organizations act quickly to deploy recommended mitigations and perform compromise reviews of their devices to check whether further internal investigation of their networks is required.

To mitigate the vulnerability, Palo Alto Networks recommends enabling Threat ID 95187 for those with subscriptions to the company’s Threat Prevention service and ensuring vulnerability protection has been applied to their GlobalProtect interface. Additionally, customers should temporarily disable telemetry until a patch is available.

In conclusion, the zero-day vulnerability in Palo Alto Networks firewalls under active exploitation highlights the importance of staying vigilant against cyber threats. Organizations must prioritize patching and mitigation to protect their networks from highly capable hackers and nation-state backed attacks. With the likelihood of mass exploitation looming, prompt action is essential to prevent internal investigation of their networks and potential data breaches.