CVE-2024-3400: Critical PaloAlto Command Injection Vulnerability

Summary

Patches are now available for the critical severity GlobalProtect vulnerability disclosed late last week. These servers are easily identifiable and our current data shows over 80 thousand Internet-visible GlobalProtect instances.

While initial exploit attempts appear to be from a single threat actor, it seems inevitable that exploit activity will quickly ramp up as more details on the underlying vulnerability come to light.

At this point we would advise anybody with vulnerable instances to check for indications of compromise as well as applying the vendor patches or mitigations as soon as possible.

This marks yet another unfortunate case where the very technology that is supposed to protect organisations does exactly the opposite. If you are looking for help monitoring your own organisation for Internet-visible vulnerabilities then get in touch today.

Further Reading

Vendor Security Advisory and Patch Details:

• https://security.paloaltonetworks.com/CVE-2024-3400

NIST CVE Details:

• https://nvd.nist.gov/vuln/detail/CVE-2024-3400

Related Exploit Activity:

• https://unit42.paloaltonetworks.com/cve-2024-3400/

Initial detection of exploit attempts:

• https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/

Cyber➾Guard: Including continuous attack-surface vulnerability monitoring:

• https://www.secmatics.com/services/cyberguard