Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-3094XZ Backdoor: Embedded Malicious Code in xz-utils

CWE-506Embedded Malicious Code33 documents18 sources
Severity
10.0CRITICALNVD
EPSS
85.0%
top 0.65%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
10
LighttpdTukaani XZPaloalto Cloud Ngfw+7 more
Timeline
PublishedMar 29
Latest updateApr 24

Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages11 packages

Alpinetukaani/xz< 5.6.1-r2+3
Alpinelighttpd/lighttpd< 1.4.76-r0+3
NVDtukaani/xz5.6.0, 5.6.1+1
Palo Altopaloalto/pan-os

🔴Vulnerability Details

4
OSV
CVE-2024-3094: Malicious code was discovered in the upstream tarballs of xz, starting with version 52024-03-29
GHSA
GHSA-rxwq-x6h5-x525: Malicious code was discovered in the upstream tarballs of xz, starting with version 52024-03-29
CVEList
Xz: malicious code in distributed source2024-03-29
OSV
CVE-2024-3094: Malicious code was discovered in the upstream tarballs of xz, starting with version 52024-03-29

💥Exploits & PoCs

1
Nuclei
XZ - Embedded Malicious Code

📋Vendor Advisories

3
Palo Alto
Informational: Impact of Malicious Code in XZ Tools and Libraries (CVE-2024-3094)2024-04-01
Red Hat
xz: malicious code in distributed source2024-03-29
Debian
CVE-2024-3094: xz-utils - Malicious code was discovered in the upstream tarballs of xz, starting with vers...2024

🕵️Threat Intelligence

12
Securelist
Exploits and vulnerabilities in Q1 20242024-05-07
Sentinelone
XZ Backdoor (CVE-2024-3094) VS SentinelOne: Detection and Mitigation2024-04-15
Sentinelone
XZ Utils Backdoor | Threat Actor Planned to Inject Further Vulnerabilities2024-04-10
Wiz
CROC Talks - XZ Utils backdoor explained | Wiz2024-04-10
Sentinelone
XZ Utils Backdoor | Threat Actor Planned to Inject Further Vulnerabilities2024-04-10

📄Research Papers

2
arXiv
Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack2025-04-24
arXiv
Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack2025-04-24
CVE-2024-3094 — XZ Backdoor: Embedded Malicious Code | cvebase