Is Your Firewall at Risk? 22,500 Palo Alto Firewalls Under Attack!

    Palo Alto

    According to recent reports, an estimated 22,500 Palo Alto GlobalProtect firewall devices have been exposed and are potentially at risk for the critical CVE-2024-3400 vulnerability. Since its discovery on March 26, 2024, this flaw has been actively exploited in attacks.

    This particular vulnerability, designated as CVE-2024-3400, poses a severe threat to unpatched PAN-OS versions that utilize the GlobalProtect feature. With this exploit, unauthenticated attackers can execute commands with root privileges by triggering command injection through arbitrary file creation.

    On April 12, Palo Alto Networks released a security advisory urging immediate application of provided mitigations until a patch could be developed. Patches for the affected PAN-OS versions were released between April 14 and 18, 2024, leaving devices vulnerable for a period of two to six days before a solution was made available. It was later discovered that disabling telemetry would not provide adequate protection, making it imperative for system administrators to apply the security patches.

    The initial exploitation of CVE-2024-3400 was attributed to state-backed threat actors known as ‘UTA0218,’ who utilized the vulnerability to infect systems with a custom backdoor named ‘Upstyle.’

    More recently, researchers have publicly shared technical details and a proof-of-concept exploit for CVE-2024-3400, demonstrating the ease with which unauthenticated attackers can infiltrate vulnerable endpoints. This widespread availability of the exploit has led to an increase in attacks by various threat actors, leaving administrators with no time to delay patching.

    Scans conducted by Greynoise have confirmed an escalation in exploitation attempts, with a significant increase in unique IP addresses attempting to exploit the CVE-2024-3400 vulnerability.

    Despite repeated warnings and the urgency of the situation, the ShadowServer Foundation has identified approximately 22,500 vulnerable instances as of April 18, 2024, indicating a delay in patching and securing these devices.


    The majority of the exposed devices are located in the United States (9,620), followed by Japan (960), India (890), Germany (790), the UK (780), Canada (620), Australia (580), and France (500).

    Another scan reported by the Shadow Server last week revealed a concerning number of over 156,000 PAN-OS firewall instances exposed on the internet. However, these statistics did not distinguish how many of these systems may be vulnerable to attacks.

    Last Friday, threat researcher Yutaka Sejiyama conducted his own scans and identified approximately 82,000 firewalls that were exposed and potentially vulnerable to CVE-2024-34000.

    Based on these estimations, it is evident that only 73% of all exposed PAN-OS systems were patched within a week of the discovery of this vulnerability.

    If you have not yet taken any action to protect your devices, it is crucial to follow the recommendations provided in the Palo Alto security advisory, which has been continually updated with new information and instructions on detecting and mitigating potential attacks.

    Latest articles

    Related articles

    Leave a reply

    Please enter your comment!
    Please enter your name here