Palo Alto Networks Inc. today disclosed a vulnerability in its Pan-OS firewall operating system that is being actively targeted by hackers.

The exploit, which is tracked as CVE-2024-3400, has received the highest possible score in the CVSS threat severity evaluation system. It’s believed tens of thousands of firewalls could be affected worldwide.

Nasdaq-listed Palo Alto Networks is a major cybersecurity provider with more than 85,000 customers worldwide. It sells a line of firewalls that enterprises use to detect and block malicious traffic in their networks. CVE-2024-3400 was discovered by cybersecurity company Volexity in Pan-OS, the operating system that powers those firewalls.

The vulnerability affects a virtual private network, or VPN, tool called GlobalProtect that ships with Pan-OS. The tool allows workers to log into their company’s business applications via encrypted connections. CVE-2024-3400 can be used by hackers to bypass GlobalProtect’s cybersecurity mechanisms and run malicious commands on Pan-OS.

The exploit is caused by “improper neutralization of special elements used in a command,” Palo Alto Networks detailed. One way hackers can compromise an operating system is by entering input that contains malicious code. Programs typically have mechanisms that filter such as input, but in the case of Pan-OS and GlobalProtect, malicious commands sent by hackers can get through.

CVE-2024-3400 affects three relatively recent versions of Pan-OS that were released after 2022. According o Palo Alto Networks, hackers can only exploit the vulnerability if a Pan-OS firewall has a feature called Device Telemetry enabled. The feature collects technical data about firewall deployments that customers can use to detect technical issues, plan upgrades and spot malicious activity.

CVE-2024-3400 received the maximum 10.0 score in CVSS, a system used to rank the severity of software vulnerabilities. One reason the flaw represents such a major risk is that it’s easy for hackers to exploit. Launching a cyberattack using CVE-2024-3400 requires a limited amount of effort, can be done in an automated manner with scripts and doesn’t require gaining login credentials to the targeted firewall.

Another factor that contributed to the high severity score is the potential impact on customers. Because a company’s firewall is a central pillar of its cybersecurity operations, compromising the system can make it significantly easier for hackers to steal data.

Palo Alto Networks stated in an advisory that it’s “aware of a limited number of attacks that leverage the exploitation of this vulnerability.” BleepingComputer, citing cybersecurity researcher Yutaka Sejiyama, reported that there are currently 82,000 vulnerable firewalls worldwide. About 40% of those systems are located in the U.S.

Palo Alto Networks expects to release a patch for the affected Pan-OS versions by Sunday. In the meantime, it’s possible to neutralize CVE-2024-3400 by disabling the operating system’s Device Telemetry feature. Customers may also use a Palo Alto Networks threat intelligence service called Threat Prevention to mitigate the vulnerability until the patches become available.

CVE-2024-3400 has caught the attention of the U.S. Cybersecurity and Infrastructure Security Agency. In a memo released today, CISA officials instructed federal agencies to patch any affected Pan-OS firewalls they may be using by April 19.

Photo: Palo Alto Networks