Palo Alto Networks Patches ‘Critical’ Exploited Vulnerability In PAN-OS

The company says fixes are now available for the flaw affecting several versions of its PAN-OS firewall software. Meanwhile, researchers from Volexity say that a ‘spike in exploitation’ is likely.

Palo Alto Networks has made patches available for addressing a maximum-severity vulnerability affecting several versions of its PAN-OS firewall software.

The cybersecurity giant, which disclosed the “critical” issue Friday, continued to say on its advisory page Monday morning that only a “limited number of attacks” exploiting the vulnerability have been observed. The flaw affects the PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 versions of the firewall software.

Patches for the issue, which were not immediately available Friday, have now been released, Palo Alto Networks said in an update to the advisory.

“This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and [will be fixed] in all later PAN-OS versions,” the company said in its advisory.

The patches come after more details emerged about the exploitation of the vulnerability, which was discovered by researchers at cybersecurity firm Volexity.

In a blog post, Volexity researchers wrote that they believe the vulnerability was exploited as far back as March 26, and that the attackers have sought to install a backdoor on the firewalls to enable continued execution of commands on the devices.

The researchers also said they see it as probable that the attacker — tracked by Volexity as “UTA0218” — is a state-sponsored group, though not one that is currently linkable to any prior threat activity.

“Volexity assesses that it is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks,” the researchers said.

Additionally, “it is likely a spike in exploitation will be observed over the next few days by UTA0218 and potentially other threat actors who may develop exploits for this vulnerability,” Volexity researchers wrote in the blog Friday.

That assessment is based on the history of public disclosures for major firewall vulnerabilities, the research team said.

Maximum-Severity Vulnerability

In its advisory, Palo Alto Networks has said that exploits of the flaw “may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.”

The vendor said the vulnerability (tracked at CVE-2024-3400) has been judged to be a “critical” issue, with the maximum severity rating of 10.0 out of 10.0.

The vulnerability was found in the GlobalProtect feature in PAN-OS firewalls, the company said. The issue is “applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled,” Palo Alto Networks said.

“Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability,” the company said.