Critical Exploit CVE-2024-3400 Vulnerability Leveraging UVM, CTEM and ASPM to Remediate in this Palo Alto Exploit

palo alto CVE-2024-3400, exploit, aspm, injection
palo alto CVE-2024-3400, exploit, aspm, injection, cvss 10, Palo Alto Networks Firewall Vulnerability, Zero-Day Exploit, Cyber Threat Exposure Management (CTEM)
Unified Vulnerability Management (UVM), Advanced Security Posture Management (ASPM)

A recent discovery, on April 10 2024, by a research group has identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers, recently published by CISA in CISA KEV. Check this article on the details for CVE-2024-3400 and how to track remediation.

The threat actor, exploiting the vulnerability, now named under the alias UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device. This is an entry point for future exploitation and penetration of the network. 

palo alto CVE-2024-3400, exploit, aspm, injection, cvss 10, Palo Alto Networks Timeline

Image timeline AI generated

Despite being present in CISA and not in KEV the vulnerability is currently unpatched. Patches are expected to be available by Sunday, April 14, 2024.

Note: Palo Alto Networks customers are only vulnerable if they are using PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled.

palo alto CVE-2024-3400, exploit, aspm, injection, affected versions,Palo Alto Networks Firewall Vulnerability

CISA in CISA KEV has promptly released a statement: https://www.cisa.gov/news-events/alerts/2024/04/12/palo-alto-networks-releases-guidance-vulnerability-pan-os-cve-2024-3400 

Get a free assessment and remediation guidance

Patch/Fix CVE-2024-3400 for Palo Alto

Palo Alto releases a patch for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions.

Hotfixes for other commonly deployed maintenance releases will also be available to address this issue. Please see the details below for ETAs regarding the upcoming hotfixes.PAN-OS 10.2:


- 10.2.9-h1 (Released 4/14/24)
- 10.2.8-h3 (ETA: 4/15/24)
- 10.2.7-h8 (ETA: 4/15/24)
- 10.2.6-h3 (ETA: 4/15/24)
- 10.2.5-h6 (ETA: 4/16/24)
- 10.2.3-h13 (ETA: 4/17/24)
- 10.2.1-h2 (ETA: 4/17/24)
- 10.2.2-h5 (ETA: 4/18/24)
- 10.2.0-h3 (ETA: 4/18/24)
- 10.2.4-h16 (ETA: 4/19/24)

PAN-OS 11.0:
- 11.0.4-h1 (Released 4/14/24)
- 11.0.3-h10 (ETA: 4/15/24)
- 11.0.2-h4 (ETA: 4/16/24)
- 11.0.1-h4 (ETA: 4/17/24)
- 11.0.0-h3 (ETA: 4/18/24)

PAN-OS 11.1:
- 11.1.2-h3 (Released 4/14/24)
- 11.1.1-h1 (ETA: 4/16/24)
- 11.1.0-h3 (ETA: 4/17/24)

Workaround for CVE-2024-3400 by Palo Alto

OPT 1 – Enable threat prevention

Palo Alto customer that have Threat Prevention subscriptions can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682).

After enabling Threat ID 95187, ensure that vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184 for more information.

If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device.

Option 2 – Disable the feature 

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/device-telemetry/device-telemetry-configure/device-telemetry-disable.

Understanding CVE-2024-3400 and exploitation analysis

CVE-2024-3400 represents a critical unauthenticated remote code execution flaw impacting GlobalProtect within select versions of Palo Alto Networks’ PAN-OS. This command injection vulnerability demands no special conditions for execution, offering a low-barrier route and operating with root-level privileges, the highest access within a system.

Distribution of palo alto potentially vulnerable firewalls 

This severe vulnerability allows attackers to execute arbitrary code with root privileges without requiring user interaction or any authentication, earning it a CVSS score of 10.0—indicating its critical nature. As per the timeline and IoC, there is evidence of exploitation even if the EPSS values are still low and there is no mass evidence of exploitation. Currently, there are 514K Palo Alto firewalls globally exposed with presence from United States, India and China

To get the latest update, those are the strings to search

Shodan (41,662): http.html_hash:-1303565546

Censys (41,163): services.http.response.body_hash=”sha1:28f1cf539f855fff3400f6199f8912908f51e1e1″

The current distribution might include several honeypots.

Currently, there is evidence of exploitation at scale with new appliance being discovered

shadowserver, palo alto CVE-2024-3400, exploit, aspm, injection, affected versions,Palo Alto Networks Firewall Vulnerability

Check out the following for full details : https://dashboard.shadowserver.org/statistics/iot-devices/map/?day=2024-04-15&vendor=palo+alto+networks&model=globalprotect&geo=all&data_set=count&scale=log

Exploit Details and Detection Challenges of CVE-2024-3400

The exploit for CVE-2024-3400 operates through a straightforward XML RPC request that embeds malicious code within an XML tag, specifically

<cmd code="ping">OS command exploit is there</cmd>

This attack method underscores the need for robust API security, campaign management and injection remediation as defence in depth techniques. This vulnerability can circumvent traditional defenses like Web Application Firewalls (WAF) and Intrusion Prevention Systems (IPS) through sophisticated XML obfuscation techniques.

For entities deploying Palo Alto Networks’ PAN-OS, it’s essential to understand that while interactions with the /api endpoint may be visible in system logs, the exploit’s payload hidden within the XML body remains unlogged in standard access.log or other log files. This gap highlights the vital importance of integrating a specialized API security solution to monitor and safeguard these entry points effectively.

Given the intricate nature of these security challenges, network administrators must expand their monitoring to include a comprehensive analysis of all API traffic, with a particular emphasis on XML data, which might not usually be recorded. Adopting an advanced API security system is imperative to provide the enhanced level of oversight necessary to identify and neutralize such concealed exploits efficiently. This approach not only strengthens security protocols but also bolsters your organization’s defence against increasingly sophisticated cyber threats.

CVE-2024-3400
Palo Alto Networks Firewall Vulnerability
GlobalProtect PAN-OS Exploit
Unauthenticated Remote Code Execution
Network Security Vulnerability Management
Cybersecurity Threat Identification
Firewall Patch Management
Vulnerability Remediation Solutions
Zero-Day Exploit Protection
Threat Prevention Strategies
Cyber Attack Mitigation
Advanced Security Posture Management (ASPM)
Cyber Threat Exposure Management (CTEM)
Unified Vulnerability Management (UVM)
PAN-OS 10.2, 11.0, 11.1 Security

Credit Volexity exploitation

GitHub’s Response to CVE-2024-3400 exploits

Aside from the direct evidence of exploitation for CVE-2024-3400, GitHub has actively started to remove repositories containing exploits and proof-of-concept (POC) code related to this vulnerability. An example of such swift action can be seen with the removal of one of the first exploits published for this issue, available at https://github.com/DrewskyDev/CVE-2024-3400, which was uploaded on April 12th. Despite GitHub’s efforts to curb the spread of this exploit, numerous other resources and platforms have already distributed this POC, indicating rapid dissemination across the cyber community.

CVE-2024-3400, Github, Exploits

Evidence of Exploitation for CVE-2024-3400

Evidence from security firms like Volexity has shown active exploitation of CVE-2024-3400. Attackers have been observed deploying a custom Python backdoor known as UPSTYLE and utilizing the vulnerability to establish a reverse shell, exfiltrate sensitive data, and move laterally within networks. The existence of zero-byte files on compromised devices serves as an initial indicator of exploitation, highlighting the attackers’ attempts to test and validate their access.

YARA Rules for Detection CVE-2024-3400

The cybersecurity community has developed YARA rules to aid in the detection of CVE-2024-3400 exploits. These rules are designed to scan systems for signs of the UPSTYLE backdoor and other malicious artifacts associated with the exploitation. For instance, a YARA rule may look for specific binary patterns or metadata within files that match the characteristics of the malware used in the attacks.

Scheduling Campaigns for CVE-2024-3400

Unified Vulnerability management (UVM) and/or Cyber Attack Surface management platforms (CTEM) like the ASPM platform enable organizations to schedule regular scanning campaigns focusing on specific vulnerabilities like CVE-2024-3400. These campaigns are designed to detect any attempts to exploit the vulnerability, ensuring that all systems are consistently monitored and protected. By leveraging these scheduled campaigns, organizations can proactively manage their security posture, adapting to new threats as they arise.

Indicator of Compromise for CVE-2024-3400

Name(s)update.py
Size5.1KB (5187 Bytes)
File Typetext/plain
MD50c1554888ce9ed0da1583dbdf7b31651
SHA1988fc0d23e6e30c2c46ccec9bbff50b7453b8ba9
SHA2563de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
VirusTotal First SubmittedN/A

Yara rules and another indicator of compromise are available at CVE-2024-3400

How Phoenix Security ASPM and UVM Can Help Identify and schedule a campaign for CVE-2024-3400 Palo alto critical vulnerability

attack graph phoenix security
ASPM

Phoenix Security helps organizations identify and trace which systems are compromised with vulnerabilities, understanding the relation between code and the cloud. The complexity of this vulnerability derives from the widespread of implementation as well as 3rd party suppliers that might be affected by it. Unified Vulnerability Management and ASPM tools can scan the application portfolio to identify instances of vulnerable Linux and which version is exploitable, mapping out where it is deployed across the organization.

Phoenix campaigns in ASPM and in the Unified Vulnerability Management UVM module allow you to address CVE-2024-3400 in bulk with other.

Phoenix Security CVE-2024-3400
Palo Alto Networks Firewall Vulnerability
GlobalProtect PAN-OS Exploit
Unauthenticated Remote Code Execution
Network Security Vulnerability Management
Cybersecurity Threat Identification
Firewall Patch Management
Vulnerability Remediation Solutions
Zero-Day Exploit Protection
Threat Prevention Strategies
Cyber Attack Mitigation
Advanced Security Posture Management (ASPM)
Cyber Threat Exposure Management (CTEM)
Unified Vulnerability Management (UVM)
PAN-OS 10.2, 11.0, 11.1 Security

Import vulnerabilities or scan your system externally, leveraging the ASPM and UVM external attack surface to pinpoint all instances of the affected PAN-OS versions—10.2, 11.0, and 11.1. Its deep integration capabilities enable it to interface seamlessly with existing network architecture, providing a comprehensive audit of systems using the GlobalProtect gateway with device telemetry features enabled.

Prioritizing Exposed Systems:

With the inherent capability to assess exposure levels, Phoenix prioritizes remediation efforts based on risk and exposure. More exposed systems—such as those facing the internet or containing sensitive data—are bumped up in the remediation queue, ensuring that the most vulnerable assets are secured first.

Prioritize and Structure Remediation Campaign addressing CVE-2024-3400 in bulk.

palo alto CVE-2024-3400, exploit, aspm, injection, cvss 10, Palo Alto Networks Firewall Vulnerability, Zero-Day Exploit, Cyber Threat Exposure Management (CTEM)
Unified Vulnerability Management (UVM), Advanced Security Posture Management (ASPM)
Phoenix Security
remediation campaign

Streamlined Remediation:

palo alto CVE-2024-3400, exploit, aspm, injection, cvss 10, Palo Alto Networks Firewall Vulnerability, Zero-Day Exploit, Cyber Threat Exposure Management (CTEM)
Unified Vulnerability Management (UVM), Advanced Security Posture Management (ASPM)

Tracking Remediation:

Phoenix’s real-time ASPM and UVM dashboard offers organizations a bird’s-eye view of the remediation process. It tracks the progress of patch deployments and the status of applied workarounds, ensuring that IT teams are informed at every step. Phoenix’s granular reporting enables organizations to monitor which systems are secured and which still require attention.

Get in control of your Application Security posture and Vulnerability management

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

The 2024 CWE Top 25 is out, and it’s no casual stroll through the vulnerability garden—especially when ransomware operators are busy planting path traversal exploits, while bug bounty hunters dig up endless injection flaws. In this blog, we examine the biggest risers, the most surprising dips, and the divergence between real-world exploit data and official CWE rankings. We’ll also reveal how AI-driven ASPM (Application Security Posture Management) and Phoenix Security’s contextual risk-based approach unite to help you focus on your most pressing threats. After all, not all flaws are created equal—some are simply more mischievous than others.
Francesco Cipollone
The 2024 CWE Top 25 list highlights the most dangerous software weaknesses. This article explores the methodology behind the list and how AI is improving threat detection. Discover how Application Security Posture Management (ASPM) and unified vulnerability management can help organizations address these critical threats.
Francesco Cipollone
Phoenix Security kicks off 2025 with recognition from Gartner Digital Markets through GetApp, solidifying its position as a leader in Application Security Posture Management (ASPM). Recognised for best customer success and support in ASPM, Phoenix Security empowers organisations with comprehensive, contextual vulnerability management and actionable cybersecurity solutions. With a user-friendly interface, robust real-time monitoring, and seamless risk prioritisation, the platform reduces alert fatigue while delivering precise remediation. As a cloud security leader, Phoenix Security continues to innovate, partnering with enterprises like LastPass and ClearBank to tackle the modern cybersecurity landscape head-on.
Francesco Cipollone
Discover how Phoenix Security is revolutionizing vulnerability management with its latest advancements in Application Security Posture Management (ASPM). From contextual deduplication to container version monitoring, this update empowers teams to prioritize vulnerabilities, streamline workflows, and strengthen application security. Dive into new integrations, enhanced asset details, and smarter risk management tools designed for modern security challenges.
Alfonso Eusebio
Phoenix Security’s Application Security Posture Management (ASPM) introduces Reachability Analysis and Contextual Deduplication to revolutionize vulnerability management. These features help security teams prioritize risks by correlating vulnerabilities from code to runtime, focusing on what’s exploitable. With contextual deduplication, Phoenix reduces vulnerability noise by up to 95%, ensuring only real threats are addressed. Stay ahead with 4D Risk Quantification, combining business criticality, network, and runtime reachability for smarter, more effective security.- Associate assets with multiple Applications and Environments – Mapping of vulnerabilities to Installed Software – Find Assets/Vulns by Scanner – Detailed findings Location information Risk-based Posture Management – Risk and Risk Magnitude for Assets – Filter assets and vulnerabilities by source scanner Integrations – BurpSuite XML Import – Assessment Import API Other Improvements – Improved multi-selection in filters – New CVSS Score column in Vulnerabilities
Alfonso Eusebio
Derek

Derek Fisher

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

christophe

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris

Chris Romeo

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

jim

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

The IKIGAI concept
x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
ShieldPRO