CVE-2024-3400
📋 TL;DR
CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProtect feature that allows unauthenticated attackers to execute arbitrary code with root privileges. It affects specific PAN-OS versions with distinct feature configurations. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted.
💻 Affected Systems
- Palo Alto Networks PAN-OS
📦 What is this software?
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of firewall with root access, enabling lateral movement, data exfiltration, and persistent backdoor installation.
Likely Case
Remote code execution leading to firewall compromise, credential theft, and network pivoting.
If Mitigated
Limited impact if proper network segmentation and access controls prevent exploitation attempts.
🎯 Exploit Status
Actively exploited in the wild as a zero-day. Multiple threat actors have weaponized this vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PAN-OS 10.2.9-h1, 11.0.4-h1, 11.1.2-h3, and later versions
Vendor Advisory: https://security.paloaltonetworks.com/CVE-2024-3400
Restart Required: Yes
Instructions:
1. Download appropriate hotfix from Palo Alto support portal. 2. Upload to firewall. 3. Install hotfix. 4. Reboot firewall. 5. Verify patch installation.
🔧 Temporary Workarounds
Disable Device Telemetry
allTemporarily disable device telemetry to prevent exploitation until patching can be completed.
set deviceconfig setting telemetry disabled
🧯 If You Can't Patch
- Immediately disable device telemetry on affected firewalls.
- Implement strict network access controls to limit exposure to GlobalProtect gateways.
🔍 How to Verify
Check if Vulnerable:
Check PAN-OS version and verify if GlobalProtect gateway and device telemetry are both enabled.Check Version:
show system infoVerify Fix Applied:
Verify PAN-OS version is patched to recommended hotfix version and device telemetry status.📡 Detection & Monitoring
Log Indicators:
- Unusual file creation in /var directory
- Suspicious command execution logs
- Anomalous GlobalProtect authentication patterns
Network Indicators:
- Unexpected outbound connections from firewall
- Suspicious HTTP requests to GlobalProtect endpoints
SIEM Query:
source="pan_logs" AND (event_type="file" AND file_path="/var/*") OR (event_type="command" AND command="*sh*")🔗 References
- https://security.paloaltonetworks.com/CVE-2024-3400
- https://unit42.paloaltonetworks.com/cve-2024-3400/
- https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
- https://security.paloaltonetworks.com/CVE-2024-3400
- https://unit42.paloaltonetworks.com/cve-2024-3400/
- https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-3400
