On Friday April 12, Palo Alto disclosed that some versions of PAN-OS are not only vulnerable to remote code execution, but that the vulnerability has been actively exploited to install backdoors on Palo Alto firewalls. A patch is expected to be available on April 14th.The advisory from Palo Alto is here. The CISA advisory is here. Palo Alto has marked this vulnerability as critical and NVD has scored it a 10.0 with CVSSv3. 

Wallarm currently detects attacks against this vulnerability with no additional configuration required. Wallarm will block these attacks as long as the filtering nodes are configured in blocking mode. Wallarm users who have protected their Palo Alto devices with Wallarm nodes can search for these attacks either by filtering for the CVE ID using the “CVEs and Exploits” filter or by filtering for their vulnerable Palo Alto devices and the attack type “RCE.” 

Customers can also search their Palo Alto logs for requests to /api with an XML body containing .