title: Palo Alto PAN-OS GlobalProtect Command Injection (Operation MidnightEclipse) (CVE-2024-3400)
id: df00tech-cve-2024-3400
status: experimental
description: "CVE-2024-3400 is a maximum-severity (CVSS 10.0) command injection vulnerability in Palo Alto Networks PAN-OS, specifically in the GlobalProtect feature. The flaw allows unauthenticated remote attackers to execute arbitrary code with root privileges on the firewall by exploiting improper input validation in the GlobalProtect service, which creates arbitrary files that are then executed. Affected versions include PAN-OS 10.2.x (through 10.2.7), 11.0.x, and 11.1.x with GlobalProtect gateway or portal enabled. Cloud NGFW, Panorama, and Prisma Access are not affected. The vulnerability was exploited as a zero-day by the threat actor UTA0218 in Operation MidnightEclipse to deploy the UPSTYLE backdoor. CISA added this to the KEV catalog with active in-the-wild exploitation confirmed. As Palo Alto firewalls are widely deployed by SMBs and enterprises as perimeter security, this is a critical priority."
references:
  - https://attack.mitre.org/techniques/CVE-2024-3400/
  - https://df00tech.com/detections/CVE-2024-3400
author: df00tech
date: 2026/04/22
tags:
  - attack.cve-2024-3400
  - cve.2024-3400
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate PAN-OS system management operations logged with 'SYSTEM' or 'root' context"
  - Authorized GlobalProtect SSL VPN monitoring creating network connections
  - High volume of failed GlobalProtect logins from legitimate users with expired tokens
level: critical