Highly skilled hackers have been exploiting a critical zero-day vulnerability in a firewall product from Palo Alto Networks, leading to multiple corporate networks being compromised. Security researchers have categorized the vulnerability, known as CVE-2024-3400, as a maximum severity rating of 10.0 due to its potential impact.

The exploit, which has been actively used for at least two weeks, allows hackers to execute malicious code with root privileges. This essentially grants them the highest level of system access, making it easier for them to infiltrate and control targeted networks. Firewalls, VPNs, and file-transfer appliances have become increasingly attractive targets for cybercriminals due to the numerous vulnerabilities they possess and their direct access to sensitive network segments.

The zero-day vulnerability affects PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls when the GlobalProtect gateway and device telemetry are enabled. Despite the ongoing attacks and increasing risks, Palo Alto Networks has not issued a patch for the vulnerability. They are, however, urging affected customers to follow provided mitigation guidance and workarounds.

The security firm Volexity, which discovered the zero-day attacks, believes that the hackers responsible are likely to be highly capable and potentially backed by a nation-state due to the sophistication of their attacks and the targeted organizations. At present, only one threat group, tracked as UTA0218, has been observed leveraging this vulnerability in limited attacks.

Volexity predicts that as news of the vulnerability spreads, more threat groups will join in exploiting CVE-2024-3400. Similar to recent zero-day incidents involving products from other prominent companies, an increase in exploitation is expected over the coming days. Volexity emphasizes the urgency for organizations to quickly implement recommended mitigations and conduct thorough compromise reviews of their network devices.

The first instances of attacks believed to be carried out by UTA0218 were observed on March 26, where the group tested the exploitability of the vulnerability by placing zero-byte files on firewall devices. Over the following days, unsuccessful attempts were made to install a backdoor, until finally, the hackers succeeded in deploying malicious payloads. Moreover, the threat group has introduced custom post-exploitation malware that has not been previously seen.

The backdoor employed by the attackers, coded in Python, allows them to execute additional commands on compromised devices through specially crafted network requests.

Industry experts and security researchers are urging affected organizations to be proactive in responding to this critical vulnerability. Immediate enforcement of mitigation measures and thorough internal investigations are crucial to averting potentially devastating consequences.

Palo Alto Networks has yet to provide a timeline for when the patch will be released, heightening the need for organizations to take appropriate action promptly.