Approximately 22,500 exposed Palo Alto GlobalProtect firewall devices are potentially vulnerable to the CVE-2024-3400 flaw. This critical command injection vulnerability has been actively exploited in attacks since at least March 26, 2024.

The CVE-2024-3400 is a severe vulnerability impacting specific Palo Alto Networks' PAN-OS versions in the GlobalProtect feature. This flaw allows unauthenticated attackers to execute commands with root privileges using command injection triggered by arbitrary file creation.

The vulnerability was disclosed by Palo Alto Networks on April 12, with a security advisory urging system administrators to apply provided mitigations immediately until a patch was made available. However, it was later revealed that Palo Alto's mitigation of disabling telemetry would not protect devices and that the only solution was to apply the security patches.

State-backed threat actors, tracked as 'UTA0218', exploited this flaw to infect systems with a custom backdoor named 'Upstyle.' The public availability of the exploit has allowed numerous threat actors to conduct their own attacks, leaving system administrators with no margins to delay patching.

Despite the urgency of the situation, the ShadowServer Foundation threat monitoring service reports that there are still roughly 22,500 instances that are "possibly vulnerable" as of April 18, 2024. Most of these devices are located in the United States (9,620), followed by Japan (960), India (890), Germany (790), the UK (780), Canada (620), Australia (580), and France (500).

Those who haven't taken any action are advised to follow the suggested actions in the Palo Alto security advisory, which has been updated several times since last week with new information and instructions on hunting for suspicious activity.