CVE-2024-3400

Name of the Vulnerable Software and Affected Versions Palo Alto Networks PAN-OS versions 10.2, 11.0, and 11.1

Description Palo Alto Networks PAN-OS GlobalProtect feature is vulnerable to an unauthenticated remote code execution (RCE) vulnerability (CVE-2024-3400) with a CVSS score of 10.0. This vulnerability allows attackers to execute arbitrary code with root privileges on the firewall. The vulnerability is due to a command injection flaw resulting from arbitrary file creation. Attackers have been observed exploiting this vulnerability in the wild since March 26, 2024, with some reports indicating activity by the threat actor known as UTA0218. Exploitation involves leveraging a path traversal vulnerability to write files and then executing commands. A Python backdoor, UPSTYLE, has been observed being deployed by attackers. Approximately 24,000 systems were observed being scanned for this vulnerability. The API endpoint

/ssl-vpn/hipreport.esp

is involved in the exploitation.

Recommendations Apply the hotfixes released by Palo Alto Networks to address CVE-2024-3400. Prioritize patching systems running vulnerable versions of PAN-OS (10.2, 11.0, and 11.1).