Palo Alto Networks swiftly addresses a critical security flaw in PAN-OS software, urgently releasing hotfixes as the vulnerability is actively exploited in the wild. Tracked as CVE-2024-3400 with a CVSS score of 10.0, the vulnerability allows unauthenticated attackers to execute arbitrary code with root privileges through command injection in the GlobalProtect feature. Immediate fixes are available for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3, with additional patches expected for other versions soon.
This vulnerability specifically affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect features and device telemetry enabled. While Cloud NGFW firewalls remain unaffected, certain PAN-OS versions and feature configurations in customer-managed cloud deployments are vulnerable. The threat, attributed to a cluster named UTA0218, has been leveraging CVE-2024-3400 since at least March 26, 2024, to deploy a Python-based backdoor called UPSTYLE on firewalls.
Malicious activity, tracked as Operation MidnightEclipse by Palo Alto Networks Unit 42, raises concerns about the extent of exploitation and potential reconnaissance activities targeting vulnerable systems. Despite the exploitation, no evidence suggests follow-up malware or persistence methods deployed on victim networks, leaving uncertainty about whether this is due to early detection or a deliberate strategy by threat actors. Vigilance and prompt application of provided patches are crucial to mitigating the risk posed by this critical security vulnerability.
