The recently disclosed Palo Alto Networks firewall vulnerability tracked as CVE-2024-3400, which has been exploited in attacks for at least one month, has been found to impact one of Siemens’ industrial products.
In an advisory published late last week, Siemens revealed that its Ruggedcom APE1808 devices configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400.
Siemens is preparing updates for the affected product and in the meantime has provided workarounds and mitigations.
The Ruggedcom APE1808 industrial application hosting platform enables organizations to deploy commercially available applications for edge computing and cybersecurity in harsh industrial environments.
CVE-2024-3400 is known to have been exploited in the wild — including as a zero-day before Palo Alto Networks released any patches or mitigations — but Siemens does not mention anything about attacks specifically targeting its product.
Siemens’ APE1808 integrates security solutions from several vendors, including Palo Alto Networks, Fortinet and Nozomi Networks, and the industrial giant recently started publishing advisories to inform customers about vulnerabilities in these security solutions.
The Shadowserver Foundation has been tracking the number of Palo Alto Networks firewalls vulnerable to attacks exploiting CVE-2024-3400 and its most recent count showed roughly 6,000 internet-exposed devices.
Exploitation of the vulnerability, which allows an unauthenticated attacker to execute arbitrary commands with elevated privileges on the compromised firewall, surged last week after proof-of-concept (PoC) code was made public.
The group that was first spotted exploiting the zero-day is believed to be a state-sponsored threat actor, but it’s unclear which country they are associated with. One company suggested a link to North Korea’s Lazarus, but this claim has yet to be corroborated.
Cybersecurity firm Volexity is aware of attacks launched as early as March 26, with the attackers using hacked firewalls to move into internal networks and exfiltrate data. In some cases, the attackers also deployed a backdoor.
Related: CrushFTP Patches Exploited Zero-Day Vulnerability
Related: Recent Fortinet FortiClient EMS Vulnerability Exploited in Attacks