Palo Alto Networks

Palo Alto Networks has shared remediation guidance for a recently disclosed critical security flaw impacting PAN-OS that has come under active exploitation.

The vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), could be weaponized to obtain unauthenticated remote shell command execution on susceptible devices. It has been addressed in multiple versions of PAN-OS 10.2.x, 11.0.x, and 11.1.x.

There is evidence to suggest that the issue has been exploited as a zero-day since at least March 26, 2024, by a threat cluster tracked as UTA0218.

The activity, codenamed Operation MidnightEclipse, entails the use of the flaw to drop a Python-based backdoor called UPSTYLE that's capable of executing commands transmitted via specially crafted requests.


The intrusions have not been linked to a known threat actor or group, but it's suspected to be a state-backed hacking crew given the tradecraft and the victimology observed.

The latest remediation advice offered by Palo Alto Networks is based on the extent of compromise -

  • Level 0 Probe: Unsuccessful exploitation attempt - Update to the latest provided hotfix
  • Level 1 Test: Evidence of vulnerability being tested on the device, including the creation of an empty file on the firewall but no execution of unauthorized commands - Update to the latest provided hotfix
  • Level 2 Potential Exfiltration: Signs where files like "running_config.xml" are copied to a location that is accessible via web requests - Update to the latest provided hotfix and perform a Private Data Reset
  • Level 3 Interactive access: Evidence of interactive command execution, such as the introduction of backdoors and other malicious code - Update to the latest provided hotfix and perform a Factory Reset

"Performing a private data reset eliminates risks of potential misuse of device data," Palo Alto Networks said. "A factory reset is recommended due to evidence of more invasive threat actor activity."


Palo Alto Networks, on April 29, 2024, updated its advisory for CVE-2024-3400 to note that it's "aware of proof-of-concept by third parties of post-exploit persistence techniques that survive resets and upgrades."

"These techniques work on a device that is already compromised with interactive root level command execution," it added. "Fixes and Threat Prevention signatures completely prevent remote command execution and hence stop any subsequent post-exploitation or persistence techniques."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.