Security News > 2024 > April > Palo Alto firewalls: CVE-2024-3400 exploitation and PoCs for persistence after resets/upgrades
There are proof-of-concept techniques allowing attackers to achieve persistence on Palo Alto Networks firewalls after CVE-2024-3400 has been exploited, the company has confirmed on Monday, but they are "Not aware at this time of any malicious attempts to use these persistence techniques in active exploitation of the vulnerability."
On April 12, Palo Alto Networks warned about limited attacks against internet-exposed firewalls, likely by a state-backed threat actor, who managed to install backdoors, grab sensitive data, and move laterally through target organizations' networks.
Palo Alto Networks has been updating the associated security advisory and Unit 42 Threat Brief, as well as published additional advice for mitigation and remediation.
On April 18, the company said that "An increasing number of attacks that leverage the exploitation of this vulnerability" have been spotted and proof of concepts for the flaw(s) have been publicly disclosed by third parties.
Post-exploitation persistence on Palo Alto firewalls.
On April 25, Palo Alto published remediation recommendations for customers, and on April 29 they confimed that they are aware of "Proof-of-concept by third parties of post-exploit persistence techniques that survive resets and upgrades."
News URL
Related news
- Palo Alto Networks firewalls under attack, hotfixes incoming! (CVE-2024-3400) (source)
- Week in review: PoCs allow persistence on Palo Alto firewalls, Okta credential stuffing attacks (source)
- Palo Alto Networks warns of PAN-OS firewall zero-day used in attacks (source)
- Palo Alto Networks zero-day exploited since March to backdoor firewalls (source)
- Week in review: Palo Alto Networks firewalls under attack, Microsoft patches two exploited zero-days (source)
- Palo Alto Networks fixes zero-day exploited to backdoor firewalls (source)
- Palo Alto firewalls: Public exploits, rising attacks, ineffective mitigation (source)
- 22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks (source)
- Week in review: Palo Alto firewalls mitigation ineffective, PuTTY client vulnerable to key recovery attack (source)
- CrushFTP zero-day exploited by attackers, upgrade immediately! (CVE-2024-4040) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-04-12 | CVE-2024-3400 | Command Injection vulnerability in Paloaltonetworks Pan-Os A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. | 10.0 |