Security News > 2024 > April > Palo Alto firewalls: CVE-2024-3400 exploitation and PoCs for persistence after resets/upgrades
There are proof-of-concept techniques allowing attackers to achieve persistence on Palo Alto Networks firewalls after CVE-2024-3400 has been exploited, the company has confirmed on Monday, but they are "Not aware at this time of any malicious attempts to use these persistence techniques in active exploitation of the vulnerability."
On April 12, Palo Alto Networks warned about limited attacks against internet-exposed firewalls, likely by a state-backed threat actor, who managed to install backdoors, grab sensitive data, and move laterally through target organizations' networks.
Palo Alto Networks has been updating the associated security advisory and Unit 42 Threat Brief, as well as published additional advice for mitigation and remediation.
On April 18, the company said that "An increasing number of attacks that leverage the exploitation of this vulnerability" have been spotted and proof of concepts for the flaw(s) have been publicly disclosed by third parties.
Post-exploitation persistence on Palo Alto firewalls.
On April 25, Palo Alto published remediation recommendations for customers, and on April 29 they confimed that they are aware of "Proof-of-concept by third parties of post-exploit persistence techniques that survive resets and upgrades."
News URL
Related news
- Mysterious Palo Alto firewall reboots? You're not alone (source)
- PAN-OS authentication bypass hole plugged, PoC is public (CVE-2025-0108) (source)
- SonicWall firewall bug leveraged in attacks after PoC exploit release (source)
- Palo Alto firewalls under attack as miscreants chain flaws for root access (source)
- Attackers are chaining flaws to breach Palo Alto Networks firewalls (source)
- Palo Alto Networks tags new firewall bug as exploited in attacks (source)
- PoC exploit for Ivanti Endpoint Manager vulnerabilities released (CVE-2024-13159) (source)
- MITRE Caldera RCE vulnerability with public PoC fixed, patch ASAP! (CVE-2025–27364) (source)
- Meta Warns of FreeType Vulnerability (CVE-2025-27363) With Active Exploitation Risk (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-04-12 | CVE-2024-3400 | Command Injection vulnerability in Paloaltonetworks Pan-Os A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. | 10.0 |