CVE-2024-3094 · Critical · CISA KEV

Critical XZ Utils Backdoor: Pre-Auth RCE in Internet-Facing Systems

Threat Engine Auto-Feed · data current as of 2026-06-28

A critical backdoor (CVE-2024-3094) in XZ Utils versions 5.6.0 and 5.6.1 allows unauthenticated remote code execution. This vulnerability is actively exploited in the wild, has a CVSS score of 10.0, and an EPSS percentile of 93, indicating high exploitation probability. Organizations using affected versions are at severe risk.

  • CVSS: 10
  • EPSS percentile: 0.93
  • Exploitation pressure: 91/100 (Critical)

Exploitation reality: listed in CISA KEV (exploited in the wild) · EPSS 93th percentile · public PoC available. Threat × Vulnerability from public signals — impact depends on your environment.

Weakness — embedded malicious code (backdoor)

This vulnerability is due to embedded malicious code, specifically a backdoor, introduced into the software's source code. This malicious code was intentionally planted by a contributor and allows an attacker to execute arbitrary code remotely without authentication.

Who's at risk

Exposure: network / internet-reachable · Auth: pre-auth (no credentials needed) · no user interaction required

Enterprise profiles most at risk

  • Organizations running Linux distributions that include affected XZ Utils/liblzma versions (5.6.0, 5.6.1)
  • Enterprises with internet-facing systems exposing SSH services linked to systemd
  • Technology and Financial Services sectors due to documented adversary targeting

Misconfigurations that escalate it

  • Using affected XZ Utils versions (5.6.0 or 5.6.1) in production environments
  • Exposing SSH services directly to the internet without proper access controls or segmentation
  • Lack of supply chain integrity checks for open-source dependencies

High-impact scenarios

  • Complete system compromise via unauthenticated remote code execution on internet-facing servers
  • Data exfiltration and lateral movement across compromised networks
  • Disruption of critical services and potential for ransomware deployment

Likely adversaries

  • APT29 (Cozy Bear) — Technology (Assessed)
  • Scattered Spider — Technology (Assessed)
  • FIN7 — Financial services (Assessed)
  • LockBit affiliates — Financial services (Assessed)
  • APT38 (Lazarus) — Financial services (Assessed)

What to do (defensive)

Detect

  • Identify all systems running XZ Utils/liblzma versions 5.6.0 or 5.6.1
  • Monitor for unusual SSH login attempts or activity on affected systems
  • Scan for indicators of compromise (IOCs) related to CVE-2024-3094

Contain

  • Isolate affected systems from the network immediately
  • Block all external access to SSH services on potentially compromised hosts
  • Review and revoke SSH keys and credentials that may have been exposed

Patch

  • Downgrade XZ Utils/liblzma to a safe version (e.g., 5.4.x) or update to a patched version provided by your distribution vendor
  • Rebuild systems from trusted sources if a full compromise is suspected
  • Implement robust supply chain security practices to prevent similar incidents

Frontier verdict — Critical

This is a critical, actively exploited pre-authentication remote code execution vulnerability requiring immediate patching and thorough investigation due to its severe impact and high exploitation pressure.

For detection-engineering and awareness only · point-in-time · not security advice · sourced from NVD, FIRST EPSS, CISA KEV. Adversary mappings are assessments unless cited.