ClickCease Palo Alto Zero-Day Attack: PAN-OS Flaw Actively Exploited

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Palo Alto Zero-Day Attack: PAN-OS Flaw Actively Exploited

Wajahat Raja

April 25, 2024 - TuxCare expert team

Palo Alto Networks, a leading cybersecurity company, has recently issued a warning about a critical vulnerability in its PAN-OS software, specifically affecting its GlobalProtect gateways. The Palo Alto zero-day attack flaw, identified as CVE-2024-3400, carries a maximum CVSS severity score of 10.0, reflecting the critical risk it poses to users. It allows unauthenticated attackers to execute arbitrary code with root privileges on the firewall, posing a severe threat to affected systems.


Command Injection Vulnerability – Palo Alto Exploit In The Wild

The main concern with the
Palo Alto zero-day attack is a command injection issue within the GlobalProtect feature of PAN-OS. This flaw could allow an unauthenticated attacker to execute arbitrary code with root privileges on the firewall, presenting a significant risk to affected systems. 

According to an advisory published by Palo Alto Networks, the vulnerability can affect certain versions of PAN-OS, depending on specific configurations. The versions that have been  impacted include:


  • PAN-OS versions earlier than 11.1.2-h3
  • PAN-OS versions earlier than 11.0.4-h1
  • PAN-OS versions earlier than 10.2.9-h1


The cybersecurity zero-day vulnerability is currently being exploited in the wild, making it crucial for affected users to take immediate action. If GlobalProtect gateway and device telemetry are configured, the risk of exploitation is significantly higher. It’s essential for organizations running these affected versions to apply patches as soon as they become available.


Details of the Palo Alto Zero-Day Attack and Exploitation

Palo Alto Networks security breach was first identified by Volexity researchers on April 10 after alerts about suspicious network traffic were detected from a customer’s firewall. Further investigation revealed that the attacker, tracked as UTA0218, had been exploiting the vulnerability since March 26.


Exploits Targeting Palo Alto devices

During their investigation, researchers found that the attacker remotely exploited the bug to create a reverse shell, allowing them to download and execute post-exploitation tools, including a novel Python-based backdoor. This custom backdoor, called UPSTYLE, enables attackers to run additional commands on the device through specially crafted network requests.

The attacker’s primary focus was on exporting configuration data from the devices and using it to move laterally within the victim’s organization. This cyber threat Palo Alto vulnerability can have serious consequences for network security and integrity.

Critical Security Flaw Palo Alto Networks Mitigation Measures 

While awaiting the official patches,
Palo Alto Networks recommends temporarily disabling device telemetry to mitigate the risk. Customers are advised to check their firewall web interfaces for entries indicating whether GlobalProtect gateway and device telemetry are configured. Although a temporary solution, this measure can help reduce the risk of exploitation until the fixes are ready.


Palo Alto Networks security advisor
y provides essential guidance on mitigating cybersecurity risks. Impacted users of the cyber attack on Palo Alto firewalls are strongly urged to apply patches as soon as they are available to secure their systems against potential attacks. In the meantime, following the suggested mitigation measures can provide some level of protection. 

Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its known exploited vulnerabilities catalog, emphasizing the importance of patching affected systems promptly. Federal agencies have a deadline of April 19 to patch the flaw.


In summary, the critical
Palo Alto Networks cybersecurity incident poses a significant threat to organizations that use the GlobalProtect feature in PAN-OS. It is essential for organizations using impacted versions of PAN-OS to apply mitigations and patches as soon as possible to protect their systems from attack.

Keeping your systems up to date with the latest security patches is crucial to maintaining the integrity and security of your network infrastructure. Organizations should stay vigilant and monitor for any signs of exploitation to promptly address any security incidents.

The sources for this piece include articles in The Hacker News and Decipher.

Palo Alto Zero-Day Attack: PAN-OS Flaw Actively Exploited
Article Name
Palo Alto Zero-Day Attack: PAN-OS Flaw Actively Exploited
Learn about the critical Palo Alto zero-day attack, its impact on PAN-OS software, and how to protect your systems. Get the latest updates.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter