Palo Alto Networks has swiftly responded to a high-severity security flaw affecting PAN-OS software, which has been actively exploited in the wild, by releasing urgent hotfixes.
Identified as CVE-2024-3400 (CVSS score: 10.0), this critical vulnerability involves command injection within the GlobalProtect feature, enabling an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
The fixes for this vulnerability are promptly available in the following versions:
- PAN-OS 10.2.9-h1
- PAN-OS 11.0.4-h1
- PAN-OS 11.1.2-h3
Additional patches for commonly deployed maintenance releases are slated for release over the coming days.
“The vulnerability impacts PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with GlobalProtect gateway or GlobalProtect portal configurations (or both) and enabled device telemetry,” clarified the company in its updated advisory.
While Cloud NGFW firewalls remain unaffected by CVE-2024-3400, certain PAN-OS versions and distinct feature configurations of firewall VMs managed by customers in the cloud are susceptible.
The specific threat actor behind the exploitation remains unidentified at present, although Palo Alto Networks Unit 42 is actively monitoring the malicious activity, identifying it as Operation MidnightEclipse.
Volexity, attributing the exploitation to a cluster named UTA0218, revealed that CVE-2024-3400 has been utilized since at least March 26, 2024, to deploy a Python-based backdoor named UPSTYLE on affected firewalls, facilitating the execution of arbitrary commands through specially crafted requests.
The extent of exploitation remains unclear, but the threat intelligence firm noted evidence of potential reconnaissance activity indicating broader exploitation aimed at identifying vulnerable systems.
In documented attacks, UTA0218 has been observed deploying additional payloads to establish reverse shells, exfiltrate PAN-OS configuration data, delete log files, and deploy the Golang tunneling tool GOST (GO Simple Tunnel).
No further malware or persistence mechanisms have been observed on victim networks thus far, though it remains uncertain whether this is intentional or a result of early detection and response measures.
