Operation MidnightEclipse: Hackers Actively Exploiting Palo Alto Networks Zero-Day Flaw

The Palo Alto Networks PAN-OS software has a critical command injection vulnerability that allows an unauthorized attacker to run arbitrary code on the firewall with root access.

The vulnerability is identified as CVE-2024-3400, with a CVSS score of 10.0. Operation MidnightEclipse has been coined to describe its exploit.

Palo Alto Networks confirmed targeted attacks using this vulnerability last Friday in an alert, crediting a threat actor for known exploitation and noting the possibility of further exploitation by threat actors.

Only PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls are configured with device telemetry enabled, and either the GlobalProtect gateway or GlobalProtect portal (or both) are affected by this issue. 

Prisma Access, Panorama appliances, and cloud firewalls (Cloud NGFW) are unaffected by this flaw.

How Attackers Exploited The Flaw?

Using the vulnerability, the attackers set up a cron job that retrieves commands hosted on an external server ...