Trellix Insights

Description

On April 10, 2024, Volexity discovered a zero-day vulnerability being exploited in the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers. The attack involved remote exploitation of the firewall device by threat actor UTA0218, who created a reverse shell and downloaded additional tools onto the compromised device. Subsequently, on April 11, 2024, another NSM customer experienced identical exploitation by the same threat actor. The attacker's focus was on extracting configuration data from the compromised devices and using it to move laterally within the victim organizations. Volexity collaborated closely with its customers and Palo Alto Networks PSIRT to investigate the root cause of the compromise. This cooperative effort led to the confirmation of the vulnerability as an OS command injection issue, assigned CVE-2024-3400. It is an unauthenticated remote code execution vulnerability with a CVSS base score of 10.0. The Trellix Threat Intelligence Group (TIG) gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Volexity and shared publicly https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/