Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Siemens Industrial Product Impacted by Exploited Palo Alto Firewall Vulnerability

Palo Alto Networks firewall vulnerability CVE-2024-3400, exploited as a zero-day, impacts a Siemens industrial product.

Siemens cybersecurity

The recently disclosed Palo Alto Networks firewall vulnerability tracked as CVE-2024-3400, which has been exploited in attacks for at least one month, has been found to impact one of Siemens’ industrial products.

In an advisory published late last week, Siemens revealed that its Ruggedcom APE1808 devices configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400.

Siemens is preparing updates for the affected product and in the meantime has provided workarounds and mitigations. 

The Ruggedcom APE1808 industrial application hosting platform enables organizations to deploy commercially available applications for edge computing and cybersecurity in harsh industrial environments. 

CVE-2024-3400 is known to have been exploited in the wild — including as a zero-day before Palo Alto Networks released any patches or mitigations — but Siemens does not mention anything about attacks specifically targeting its product.

Siemens’ APE1808 integrates security solutions from several vendors, including Palo Alto Networks, Fortinet and Nozomi Networks, and the industrial giant recently started publishing advisories to inform customers about vulnerabilities in these security solutions.

The Shadowserver Foundation has been tracking the number of Palo Alto Networks firewalls vulnerable to attacks exploiting CVE-2024-3400 and its most recent count showed roughly 6,000 internet-exposed devices

Exploitation of the vulnerability, which allows an unauthenticated attacker to execute arbitrary commands with elevated privileges on the compromised firewall, surged last week after proof-of-concept (PoC) code was made public.

Advertisement. Scroll to continue reading.

The group that was first spotted exploiting the zero-day is believed to be a state-sponsored threat actor, but it’s unclear which country they are associated with. One company suggested a link to North Korea’s Lazarus, but this claim has yet to be corroborated. 

Cybersecurity firm Volexity is aware of attacks launched as early as March 26, with the attackers using hacked firewalls to move into internal networks and exfiltrate data. In some cases, the attackers also deployed a backdoor

Related: CrushFTP Patches Exploited Zero-Day Vulnerability

Related: Recent Fortinet FortiClient EMS Vulnerability Exploited in Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Check Point Software has appointed Nadav Zafrir as Chief Executive Officer.

BlackFog has named Brenda Robb as President, John Sarantakes as CRO, and Mark Griffith as VP of Strategic Sales.

Former NSA cybersecurity chief Rob Joyce has joined Sandfly Security's Advisory Board.

More People On The Move

Expert Insights