A zero-day vulnerability in Palo Alto Networks PAN-OS software, exploited since March 26, 2024, has been uncovered by cybersecurity experts.

The flaw, identified as CVE-2024-3400, allows attackers to execute code with root access on the affected firewall through a malicious cron job.

Operation MidnightEclipse, the threat actor behind the exploit, employed a Python-based backdoor and manipulated legitimate files for stealth.

Targets include domain backup keys, active directory credentials, and user workstations, with advice given to monitor for lateral movements.

The U.S. CISA has mandated federal agencies to patch the vulnerability by April 19, following its addition to the Known Exploited Vulnerabilities catalog.

Palo Alto Networks is slated to release a security fix by April 14 to address the vulnerability.

The sophistication of the attack suggests the involvement of a state-sponsored actor, referred to as UTA0218.