A critical security vulnerability has been discovered in Palo Alto Networks’ PAN-OS software, and malicious actors are actively exploiting it. This flaw, which is tracked as CVE-2024-3400, poses a significant risk to organizations that use affected versions of the firewall system.

This zero-day vulnerability allows unauthorized individuals to execute arbitrary code with elevated privileges on the firewall. Attackers can manipulate the system through a common injection technique, granting them root access.

The cybersecurity research team at Palo Alto Networks, known as Unit 42, has closely monitored the situation. They’ve dubbed this campaign “Operation MidnightEclipse.” Their investigation points to a single threat actor responsible for wreaking havoc by exploiting CVE-2024-3400. This actor, identified by Volexity as ‘UTA0218’, demonstrates a high level of proficiency and a strategic approach to achieving their goals.

Affected Appliances

• The vulnerability impacts specific configurations of Palo Alto Networks’ PAN-OS software:
  • PAN-OS 10.2
  • PAN-OS 11.0
  • PAN-OS 11.1
• These versions must have both GlobalProtect gateway and device telemetry enabled.

Once attackers gain control of the system, they manipulate the access control list for the C2 server (command and control server). Palo Alto Networks and Volexity jointly warn that the exploitation of CVE-2024-3400 will likely escalate in the coming days. The imminent release of patches may prompt various threat actors, including UTA0218, to intensify their attacks.

Recommendations

• Organizations using affected PAN-OS versions should take immediate action:
  • Monitor their systems for signs of compromise.
  • Apply the forthcoming patches as soon as they become available.
  • Consider implementing additional security measures to mitigate risks.