Palo Alto PAN-OS GlobalProtect Command Injection (Operation MidnightEclipse)
CVE-2024-3400 is a maximum-severity (CVSS 10.0) command injection vulnerability in Palo Alto Networks PAN-OS, specifically in the GlobalProtect feature. The flaw allows unauthenticated remote attackers to execute arbitrary code with root privileges on the firewall by exploiting improper input validation in the GlobalProtect service, which creates arbitrary files that are then executed. Affected versions include PAN-OS 10.2.x (through 10.2.7), 11.0.x, and 11.1.x with GlobalProtect gateway or portal enabled. Cloud NGFW, Panorama, and Prisma Access are not affected. The vulnerability was exploited as a zero-day by the threat actor UTA0218 in Operation MidnightEclipse to deploy the UPSTYLE backdoor. CISA added this to the KEV catalog with active in-the-wild exploitation confirmed. As Palo Alto firewalls are widely deployed by SMBs and enterprises as perimeter security, this is a critical priority.
// CVE-2024-3400 — Palo Alto PAN-OS GlobalProtect Command Injection
// Detect exploitation attempts via firewall/SIEM integration logs
// Key signals: unexpected file creation on PAN-OS, anomalous GlobalProtect traffic patterns,
// post-exploitation activity from Palo Alto device IPs
let PaloAltoGlobalProtectSuspiciousRequests =
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor has_any ("Palo Alto", "PAN", "Palo Alto Networks")
| where DeviceProduct has_any ("GlobalProtect", "PAN-OS", "NGFW")
| where Message has_any (
"SYSTEM", "root", "/tmp", "/var/appweb", "shell",
"wget", "curl", "cmd", ";id", "base64"
)
or AdditionalExtensions has_any ("SYSTEM", "root", "/tmp", "shell")
| extend ThreatIndicator = "CVE-2024-3400-PAN-OS-Suspicious";
let PostExploitNetworkActivity =
AzureNetworkAnalytics_CL
| where TimeGenerated > ago(24h)
| where L4Protocol_s == "TCP"
| where DestPort_d in (4444, 8888, 1337, 9999, 31337) // Common reverse shell ports
| extend ThreatIndicator = "CVE-2024-3400-Post-Exploit-C2";
let GlobalProtectLoginAnomalies =
SigninLogs
| where TimeGenerated > ago(24h)
| where AppDisplayName has_any ("GlobalProtect", "Palo Alto")
| where ResultType != 0 // Failed logins
| summarize FailedAttempts=count(), SourceIPs=make_set(IPAddress)
by UserPrincipalName, bin(TimeGenerated, 1h)
| where FailedAttempts > 20
| extend ThreatIndicator = "CVE-2024-3400-GlobalProtect-BruteForce";
PaloAltoGlobalProtectSuspiciousRequests
| union PostExploitNetworkActivity
| sort by TimeGenerated descData Sources
Required Tables
False Positives
- Legitimate PAN-OS system management operations logged with 'SYSTEM' or 'root' context
- Authorized GlobalProtect SSL VPN monitoring creating network connections
- High volume of failed GlobalProtect logins from legitimate users with expired tokens
References (6)
- https://nvd.nist.gov/vuln/detail/CVE-2024-3400
- https://security.paloaltonetworks.com/CVE-2024-3400
- https://unit42.paloaltonetworks.com/cve-2024-3400/
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://attack.mitre.org/techniques/T1190/
Unlock Pro Content
Get the full detection package for CVE-2024-3400 including response playbook, investigation guide, and atomic red team tests.