On 12 April 2024, Palo Alto Networks published a security advisory detailing an actively exploited maximum severity vulnerability (CVE-2024-3400, CVSS: 10.0) affecting the GlobalProtect feature of PAN-OS. This vulnerability affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls when configurations for both GlobalProtect gateway and device telemetry are enabled. An unauthenticated remote threat actor can exploit this vulnerability to execute arbitrary code with root privileges on the firewall.
CVE-2024-3400 does not impact Cloud NGFW, Panorama appliances, or Prisma Access, nor other PAN-OS versions. Palo Alto Networks is currently in the process of developing patches for the affected versions of PAN-OS which are expected to release by 14 April 12024. In the meantime, they have provided several recommended actions and workarounds to mitigate potential risks.
This vulnerability was identified as a zero-day by Volexity, which during its investigation, discovered the threat actor, UTA0218, installing a custom Python backdoor named UPSTYLE on firewall devices. Following the initial breach, the threat actor downloaded additional tools from remote servers controlled by the compromised devices to gain deeper access into victims’ internal networks. Subsequent lateral movements within these networks allowed the extraction of sensitive credentials and files.
Notably, this is not the first time threat actors have targeted GlobalProtect; a similar vulnerability (CVE-2019-1579) was exploited in 2019. Given its widespread use for remote access to corporate networks globally, GlobalProtect remains an enticing target for threat actors.
Recommendation for CVE-2024-3400
Follow Palo Alto Networks Guidance Until Release of Fixed PAN-OS Versions
Arctic Wolf strongly recommends upgrading the affected versions once available by 14 April 2024. Palo Alto Networks announced that the vulnerability will be mitigated in the upcoming hotfix releases of PAN-OS.
| Product | Affected Version | Fixed Version |
| PAN-OS 11.1 | Versions prior to 11.1.2-h3 | Under development and expected to be released by April 14, 2024. |
| PAN-OS 11.0 | Versions prior to 11.0.4-h1 | |
| PAN-OS 10.2 | Versions prior to 10.2.9-h1 |
Until the patch is available, Palo Alto Networks advises customers with a Threat Prevention subscription to safeguard against vulnerability-related attacks by activating Threat ID 95187. This measure was introduced in Applications and Threats content version 8833-8682. Furthermore, it’s essential to confirm that vulnerability protection has been implemented on your GlobalProtect interface to prevent any attempts to exploit the vulnerability on the device.
Workaround (Optional)
If unable to perform the recommended approach to mitigate the vulnerability, Palo Alto Networks recommends temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, re-enable the device telemetry.
