Other
Volexity / Palo Alto Networks PSIRT / CISA / Tenable
Primary Source βIncident Details
CVSS 10.0. Threat actor UTA0218 exploited zero-day in PAN-OS GlobalProtect feature allowing unauthenticated OS command execution as root. Affected PAN-OS 10.2, 11.0, 11.1 with GlobalProtect enabled. Exploitation observed from at least March 26 2024. Volexity discovered via anomalous exfiltration at customer site and alerted Palo Alto April 10. Attacker deployed UPSTYLE Python backdoor. Patches released April 14. CISA KEV added same day. Thousands of devices exposed.
Technical Details
- Initial Attack Vector
- CWE-77: Command Injection via arbitrary file creation in GlobalProtect feature
- Vendor / Product
- Palo Alto Networks PAN-OS GlobalProtect
- Malware Family
- UPSTYLE Python backdoor
- CVE / GHSA References
- CVE-2024-3400
Timeline
- 2024-03-26 Breach occurred
- 2024-04-12 Publicly disclosed
- 2024-04-12 Customers notified