Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

Apr 26, 2024NewsroomNetwork Security / Zero Day

Palo Alto Networks

Palo Alto Networks has shared remediation guidance for a recently disclosed critical security flaw impacting PAN-OS that has come under active exploitation.

The vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), could be weaponized to obtain unauthenticated remote shell command execution on susceptible devices. It has been addressed in multiple versions of PAN-OS 10.2.x, 11.0.x, and 11.1.x.

There is evidence to suggest that the issue has been exploited as a zero-day since at least March 26, 2024, by a threat cluster tracked as UTA0218.

The activity, codenamed Operation MidnightEclipse, entails the use of the flaw to drop a Python-based backdoor called UPSTYLE that’s capable of executing commands transmitted via specially crafted requests.


The intrusions have not been linked to a known threat actor or group, but it’s suspected to be a state-backed hacking crew given the tradecraft and the victimology observed.

The latest remediation advice offered by Palo Alto Networks is based on the extent of compromise –

  • Level 0 Probe: Unsuccessful exploitation attempt – Update to the latest provided hotfix
  • Level 1 Test: Evidence of vulnerability being tested on the device, including the creation of an empty file on the firewall but no execution of unauthorized commands – Update to the latest provided hotfix
  • Level 2 Potential Exfiltration: Signs where files like “running_config.xml” are copied to a location that is accessible via web requests – Update to the latest provided hotfix and perform a Private Data Reset
  • Level 3 Interactive access: Evidence of interactive command execution, such as the introduction of backdoors and other malicious code – Update to the latest provided hotfix and perform a Factory Reset

“Performing a private data reset eliminates risks of potential misuse of device data,” Palo Alto Networks said. “A factory reset is recommended due to evidence of more invasive threat actor activity.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.