Security News > 2024 > April > Palo Alto firewalls: CVE-2024-3400 exploitation and PoCs for persistence after resets/upgrades
There are proof-of-concept techniques allowing attackers to achieve persistence on Palo Alto Networks firewalls after CVE-2024-3400 has been exploited, the company has confirmed on Monday, but they are "Not aware at this time of any malicious attempts to use these persistence techniques in active exploitation of the vulnerability."
On April 12, Palo Alto Networks warned about limited attacks against internet-exposed firewalls, likely by a state-backed threat actor, who managed to install backdoors, grab sensitive data, and move laterally through target organizations' networks.
Palo Alto Networks has been updating the associated security advisory and Unit 42 Threat Brief, as well as published additional advice for mitigation and remediation.
On April 18, the company said that "An increasing number of attacks that leverage the exploitation of this vulnerability" have been spotted and proof of concepts for the flaw(s) have been publicly disclosed by third parties.
Post-exploitation persistence on Palo Alto firewalls.
On April 25, Palo Alto published remediation recommendations for customers, and on April 29 they confimed that they are aware of "Proof-of-concept by third parties of post-exploit persistence techniques that survive resets and upgrades."
News URL
Related news
- Palo Alto Networks firewalls, Expedition under attack (CVE-2024-9463, CVE-2024-9465) (source)
- Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474) (source)
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Qualcomm zero-day under targeted exploitation (CVE-2024-43047) (source)
- Palo Alto Networks warns of firewall hijack bugs with public exploit (source)
- CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094) (source)
- CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability (source)
- Critical Palo Alto Networks Expedition bug exploited (CVE-2024-5910) (source)
- Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploit (source)
- PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs and Patch Released (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-04-12 | CVE-2024-3400 | Command Injection vulnerability in Paloaltonetworks Pan-Os A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. | 10.0 |