Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)

Volexity discovered active exploitation of a zero-day unauthenticated RCE in Palo Alto GlobalProtect (CVE-2024-3400) by a tracked actor UTA0218 that created reverse shells, installed a Python backdoor (UPSTYLE), established cron-based persistence, and rapidly moved laterally to exfiltrate firewall configurations, AD data (NTDS.DIT), DPAPI keys, and browser-stored credentials; the report provides technical analysis of the backdoor and post-exploitation scripts, infrastructure details, IoCs, and detection/response recommendations.