CISA Warns: Palo Alto PAN-OS Zero‑Day Under Active Attack – Patch Now

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency advisory on Tuesday urging organizations to immediately patch a critical command‑injection flaw in Palo Alto Networks’ PAN‑OS firewall software. The vulnerability, tracked as CVE‑2024‑3400, has been observed being actively exploited in the wild, giving threat actors a foothold to execute arbitrary code on vulnerable devices. CISA added the flaw to its Known Exploited Vulnerabilities catalog, signalling a high level of risk for any internet‑facing PAN‑OS management interfaces.

CVE‑2024‑3400 resides in the GlobalProtect feature of PAN‑OS and allows an unauthenticated remote attacker to inject shell commands via a specially crafted request to the management web UI. Affected versions include PAN‑OS 10.2 before 10.2.9‑h2, 11.0 before 11.0.4‑h4, and 11.1 before 11.1.2‑h6. Palo Alto Networks released patched builds for each branch and recommends upgrading to the following releases: 10.2.9‑h2, 11.0.4‑h4, and 11.1.2‑h6, respectively. As an interim mitigation, organizations can disable the GlobalProtect gateway service or restrict management interface access to trusted IP ranges only.

Security researchers have linked the exploitation to multiple ransomware groups and at least one advanced persistent threat (APT) cluster that is using the flaw to gain initial access into corporate networks. Indicators of compromise (IOCs) include unusual outbound connections from the firewall’s management IP and anomalous GET requests to the /ssl-vpn/ endpoint. CISA, in coordination with the FBI, urged rapid deployment of the patches and recommended that security teams review logs for the signatures provided in the joint advisory.

Organizations running PAN‑OS firewalls should treat this as a critical priority, applying the latest patches and implementing network‑level controls to limit exposure of the management interface. Continuous monitoring for the identified IOCs, coupled with a comprehensive incident‑response plan, will help mitigate the risk posed by this actively exploited zero‑day.