CVE-2024-3400 shipped exploited before the advisory

CISA’s Known Exploited Vulnerabilities catalog passed 1,200 entries this quarter. Mandiant’s M-Trends 2024 reported a median dwell time of 10 days for ransomware actors and an exploitation-to-disclosure delta that, in several 2023 and 2024 cases, ran negative, with weaponised use in the wild preceding the advisory. CVE-2024-3400, the PAN-OS GlobalProtect command injection scored CVSS 10.0, was exploited by UTA0218 weeks before Palo Alto Networks shipped a fix. CVE-2023-34362, the MOVEit Transfer SQL injection used by CL0P to hit 2,700+ organisations, had a functional exploit running in production environments while patch coordination was still in progress. The pattern is not new. The pattern is structural.

The disclosure lag has three measurable segments. Vendor advisory to NVD enrichment is the first. Time from CVE reservation to a populated CPE list, CVSS vector, and CWE classification regularly exceeds 30 days. NIST’s NVD backlog crossed 17,000 unenriched CVEs in 2024 after the analyst capacity collapse. Without CPE strings, asset inventory tools cannot match vulnerable software to deployed inventory. The CVE exists. The mapping does not. Detection engineering cannot fire on what the asset graph cannot identify.

The second segment is advisory to detection content. A CVE landing in MITRE’s database does not produce a Sigma rule, a YARA signature, or an EDR detection by itself. Detection content requires a researcher to read the advisory, identify the exploit primitive, and translate it into an observable. For CVE-2024-1709, the ConnectWise ScreenConnect authentication bypass scored CVSS 10.0, the exploitable primitive was a path traversal in SetupWizard.aspx accessible without authentication, allowing attacker-controlled admin account creation. The advisory described the bug class in three sentences. Public detection content covering the SetupWizard.aspx access pattern took 72 hours to surface in commercial feeds. Ransomware affiliates including Black Basta and Bl00dy were in environments within 48 hours of the advisory. The detection content arrived after the dwell time started.

The third segment is detection content to deployment in production SIEM and EDR. This is the segment most defenders measure and the segment that dominates root cause when intrusions get walked back. Detection content authored by a vendor or shared on a community feed enters a deployment pipeline. Content review. Test environment validation. False positive tuning. Change approval. Rollout. For organisations with mature pipelines this is a 5 to 10 day cycle. For organisations without one, content remains in a Confluence page or a Slack thread until an incident forces deployment. The exploitation window inside that segment is observable in M-Trends and Verizon DBIR data. It is also where attribution gets assigned to a tooling failure rather than the procedural failure underneath.

The CVE itself is not the artefact attackers consume. Threat actors consume technical write-ups, proof-of-concept code, and social media threads. The Log4Shell timeline showed this clearly. CVE-2021-44228 was published December 9, 2021. Within 12 hours, the JNDI injection primitive was documented across red team channels with payload variants tuned to bypass naive WAF regex. Mass scanning hit internet-wide within 24 hours. The advisory described the lookup substitution behaviour. The exploit was the payload string. The gap between the vendor-provided technical description and the operationally weaponised string is where the asymmetry sits. Attackers translate disclosures into payloads in hours. Defenders translate them into detections in days.

Detection engineering inherits this lag mechanically. A Sigma rule for CVE-2023-46805 and CVE-2024-21887, the Ivanti Connect Secure auth bypass and command injection chain, requires identification of the vulnerable endpoints - /api/v1/totp/user-backup-code and /api/v1/license/keys-status/ - and a regex for the command injection vector. Both endpoints are documented in the patched code diff. The diff was not published with the advisory. Researchers reverse-engineered the patched appliance image and posted the endpoint mapping in independent technical write-ups. That content drove the detection rules. The vendor advisory alone did not contain the indicators that fed the detections. The intelligence cycle ran outside the official disclosure channel because the official channel did not carry enough technical specificity to operationalise.

What this produces in telemetry is silence. An organisation running an EDR with default content, a SIEM with default Sigma packs, and a vulnerability scanner with NVD-driven CPE matching will see nothing fire during the first 72 to 240 hours of in-the-wild exploitation of a fresh CVE. The web shell drop after an Ivanti exploitation produces a sessionserver.pl or compcheckresult.cgi write on the appliance. The appliance does not ship logs to the SIEM by default. Lateral movement begins inside the network with credentials extracted from the appliance configuration. By the time T1078 valid account use surfaces in Entra ID or on-prem AD sign-in logs, the attacker has pivoted. The detection that would have caught initial access never fires. The detection that catches lateral movement fires after the foothold is established.

The MITRE ATT&CK mapping for this class of intrusion is T1190 exploit public-facing application as initial access, T1505.003 web shell for persistence, T1078 valid accounts after credential harvest, and T1021 remote services for lateral movement. ATT&CK identifies the technique. ATT&CK does not produce the detection. Detection requires the CVE-specific indicator - the URL path, the parameter name, the payload pattern - mapped to a log source the SIEM ingests. Without that mapping, T1190 detections are generic and fire on every benign scanner hit. The signal-to-noise collapse pushes the alert into a low-priority queue or a suppression rule. The high-fidelity detection requires CVE-specific content. The CVE-specific content requires the disclosure to carry exploitable detail. The disclosure withholds exploitable detail to slow attackers. Attackers reverse the patch in hours regardless. Defenders wait for community content.

The patch boundary does not close the exposure. For CVE-2024-3400, organisations that patched within 48 hours but did not run the documented PAN-OS forensic procedure to identify pre-patch compromise still had threat actor presence in their environments weeks later. The patch closed the entry vector. The patch did not evict the persistence. Detection content that surfaced after the patch - focused on identifying compromise artefacts including the upstyle.py marker and outbound connections to known UTA0218 infrastructure - was the content that mattered for organisations already breached. The disclosure-to-detection lag continued running on the back end of the lifecycle, not the front.

Vulnerability intelligence as a function exists to compress these segments. The function requires three inputs the average organisation does not produce. First, internal asset inventory that maps to fuzzy software identifiers, not just CPE strings, because vendors miss CPE assignments and internal naming drifts from official product names. Second, a detection content pipeline that ingests from CISA KEV, vendor PSIRT feeds, and credible community sources, with automated validation against test infrastructure. Third, an exposure assessment process that runs in hours, not the next scheduled scan cycle. None of these are technology problems. All three are operational problems with vendor consequences when budgeted around quarterly cycles instead of CVE cadence.

The asymmetry is not closing. CVE publication volume crossed 28,000 in 2023 and is tracking past 35,000 in 2025. NVD enrichment capacity has not scaled. Vendor advisories vary in technical depth from full root cause to a single line stating affected versions. CISA KEV remains the highest-signal feed for exploitation prioritisation but enters CVEs after exploitation is confirmed in the wild, which by definition is after the initial wave. The first wave runs against organisations consuming the original advisory. The second wave runs against organisations that wait for KEV. The third wave is the unattributed compromise that surfaces months later in an incident response engagement.

The technical reality is that disclosure was designed for a coordination problem between vendor and researcher. It was not designed for an operational problem between disclosure and detection deployment. The protocol assumes the affected organisation has a research function that consumes advisories, an engineering function that builds detections, and a deployment function that ships them inside hours. Most organisations have none of the three at that tempo. The gap is structural, not technical. Closing it requires changing what the disclosure delivers, not changing what the CVE database stores. Until the disclosure carries the indicator content that detection engineering needs to ship, the lag is the design.

See also: NordVPN for tunneled traffic when operating outside controlled networks.

---

#ad Contains an affiliate link.