22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks

Approximately 22,500 exposed Palo Alto GlobalProtect firewall devices are likely vulnerable to the CVE-2024-3400 flaw, a critical command injection vulnerability that has been actively exploited in attacks since at least March 26, 2024.

CVE-2024-3400 is a critical vulnerability impacting specific Palo Alto Networks' PAN-OS versions in the GlobalProtect feature that allows unauthenticated attackers to execute commands with root privileges using command injection triggered by arbitrary file creation.

The flaw was disclosed by Palo Alto Networks on April 12, with the security advisory urging system administrators to apply provided mitigations immediately until a patch was made available.

Depending on the PAN-OS version, patches were made available between April 14 and 18, 2024, so the exposure to post-disclosure risks lasted two to six days. It was later revealed that Palo Alto's mitigation of disabling telemetry would not protect devices and that the only solution was to apply the security patches.

Volexity researchers who first discovered the exploitation revealed that state-backed threat actors tracked as 'UTA0218' exploited the flaw to infect systems with a custom backdoor named 'Upstyle.'

Earlier this week, researchers shared technical details and a proof-of-concept exploit for CVE-2024-3400, demonstrating how easily unauthenticated attackers could execute commands as root on unpatched endpoints.

The public availability of the exploit has allowed numerous threat actors to conduct their own attacks, leaving system administrators with no margins to delay patching.

Greynoise's scanners confirmed this increased exploitation, showing larger numbers of unique IP addresses attempting to exploit the CVE-2024-3400 flaw.

Despite the urgency of the situation, the ShadowServer Foundation threat monitoring service says there are still roughly 22,500 instances that are "possibly vulnerable" as of April 18, 2024.

Most of the devices are located in the United States (9,620), followed by Japan (960), India (890), Germany (790), the UK (780), Canada (620), Australia (580), and France (500).

Earlier this week, Shadow Server reported seeing over 156,000 PAN-OS firewall instances exposed on the internet without discerning how many of those might be vulnerable to attacks.

Last Friday, threat researcher Yutaka Sejiyama conducted his own scans and reported observing 82,000 firewalls, which he claimed were vulnerable to CVE-2024-34000.

If the researcher's estimations were accurate, roughly 73% of all exposed PAN-OS systems were patched within a week.

Those who haven't taken any action are advised to follow the suggested actions in the Palo Alto security advisory, which has been updated several times since last week with new information and instructions on hunting for suspicious activity.