CVE-2024-3400

CVE-2024-3400 is a critical-severity vulnerability in Paloaltonetworks Pan-os with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-04-12). The underlying weakness is classified as CWE-77.

Key facts

Description

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

CVE-2024-3400: Palo Alto Networks PAN-OS GlobalProtect Unauthenticated Command Injection

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2024-3400
CVSS v3.1 10.0 Critical
CVSS Vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS 0.99999 (100th percentile)
CWE CWE-77 — Command Injection
KEV Yes (CISA KEV, 2024-04-12)
Published 2024-04-12
Vendor Palo Alto Networks
Product PAN-OS — GlobalProtect feature

Summary

A command-injection vulnerability exists in the GlobalProtect feature of Palo Alto Networks PAN-OS. An unauthenticated attacker can exploit this flaw to execute arbitrary commands with root privileges on the firewall. The vulnerability has been actively exploited in the wild since its disclosure and is associated with ransomware campaigns.

Background

PAN-OS is the operating system that powers Palo Alto Networks' next-generation firewalls. The GlobalProtect feature provides VPN and remote-access capabilities, exposing a network-facing portal and gateway interface. Because GlobalProtect must handle external requests from potentially untrusted endpoints, it represents a significant attack surface. CVE-2024-3400 resides in the way PAN-OS processes certain GlobalProtect network requests, specifically when the device is configured with both the GlobalProtect gateway and GlobalProtect portal features enabled.

Root Cause

The vulnerability is classified as CWE-77: Improper Neutralization of Special Elements used in a Command ("Command Injection"). The root cause stems from insufficient input validation when handling network requests in the GlobalProtect component. Specifically, an attacker can manipulate requests to trigger arbitrary file creation on the filesystem. This file creation capability is then leveraged to inject and execute operating-system commands as the root user. The combination of arbitrary file write with command injection effectively converts a file-creation primitive into unauthenticated remote code execution.

Impact

The CVSS 3.1 score of 10.0 (Critical) reflects the maximum severity:

  • Attack Vector (AV:N) — Exploitable over the network; no local access required.
  • Attack Complexity (AC:L) — Low complexity; no special conditions beyond a reachable GlobalProtect interface.
  • Privileges Required (PR:N) — No authentication needed.
  • User Interaction (UI:N) — None required.
  • Scope (S:C) — Changed; a compromised firewall can impact resources beyond its own security boundary.
  • Confidentiality (C:H), Integrity (I:H), Availability (A:H) — Complete compromise of the device.

Because firewalls are security control points, full root compromise can lead to traffic interception, lateral movement, and persistence within the protected network.

Exploitation Walkthrough

Ethics Notice: The following description is provided for defensive awareness only. Do not attempt unauthorized exploitation. Testing should be performed only on systems you own or have explicit written permission to assess.

The exploitation chain conceptually proceeds as follows:

  1. Reconnaissance — Identify an exposed PAN-OS GlobalProtect gateway or portal on TCP/443.
  2. Arbitrary File Creation — Send a crafted network request that causes PAN-OS to write attacker-controlled content to a predictable filesystem location. This primitive arises from improper handling of request parameters within the GlobalProtect service.
  3. Command Injection — Leverage the created file to influence subsequent command execution. Because PAN-OS processes certain file paths or contents within shell commands or system calls without adequate sanitization, the attacker achieves command injection.
  4. Root Execution — The injected commands execute with root privileges, granting full administrative control over the firewall.

Palo Alto Networks' Unit 42 and Volexity have both confirmed active exploitation in the wild, with adversaries achieving persistent access and deploying tooling for post-exploitation activity.

Affected and Patched Versions

Affected (based on CPE data from NVD):

  • PAN-OS 10.2 (multiple builds including 10.2.0 through 10.2.9 and associated hotfixes)
  • PAN-OS 11.0 (multiple builds including 11.0.0 through 11.0.4 and associated hotfixes)
  • PAN-OS 11.1 (multiple builds including 11.1.0 through 11.1.2 and associated hotfixes)

Not Affected:

  • Cloud NGFW
  • Panorama appliances
  • Prisma Access

Patched Versions:
Palo Alto Networks released security patches and hotfixes for affected PAN-OS versions. Administrators should consult the official Palo Alto Networks security advisory for the exact patched build numbers and upgrade paths.

Remediation

  1. Upgrade Immediately — Apply the latest patched PAN-OS version provided by Palo Alto Networks for your release train. Given the Critical CVSS score, active exploitation, and ransomware association, this should be treated as an emergency change.
  2. Compensating Controls — Until patching is complete:
    • Restrict GlobalProtect portal and gateway exposure to trusted IP ranges via perimeter access controls or geoblocking.
    • Ensure the GlobalProtect gateway and portal are not both enabled on the same device if not required (the vulnerability requires both features to be active).
    • Monitor firewall logs for anomalous GlobalProtect connection attempts and unexpected filesystem or process activity.
  3. Verify Patch — After upgrading, confirm the running PAN-OS version matches a patched build and re-enable any temporarily restricted access only after validation.

Detection

  • Network: Monitor for unusual connection patterns to GlobalProtect interfaces, especially from unexpected geolocations or anonymization services.
  • Endpoint/Host: On the firewall itself, audit for unexpected files in web-accessible or temp directories, unauthorized cron jobs, or new processes spawning from the GlobalProtect service context.
  • Logs: Correlate GlobalProtect access logs with authentication events; anomalous pre-authentication behavior may indicate exploitation attempts.
  • Threat Intelligence: Leverage IOCs published by Unit 42 and CISA to hunt for known post-exploitation artifacts.

Assessment

With an EPSS of 0.99999 (100th percentile) and confirmed inclusion in the CISA KEV catalog since 2024-04-12, CVE-2024-3400 represents one of the highest-probability threats in the disclosed vulnerability landscape. The combination of unauthenticated network access, trivial attack complexity, and root-level impact makes this a textbook "patch now" vulnerability. The confirmed association with ransomware operations underscores that exploitation is not theoretical—it is occurring at scale. Security teams should prioritize this above routine patching workflows and consider emergency response procedures if affected devices are Internet-facing.

Key Lessons:

  • Network-facing security appliances require the same rigorous input-validation standards as any other application; a vulnerability in a firewall OS can invert the entire security model of a network.
  • The "Scope: Changed" CVSS metric is particularly relevant here: compromising the firewall grants the attacker a privileged position from which to inspect or modify traffic for all downstream assets.

References

Frequently asked questions

What is CVE-2024-3400?
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
How severe is CVE-2024-3400?
CVE-2024-3400 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2024-3400 being actively exploited?
Yes. CVE-2024-3400 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-04-12, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-3400?
CVE-2024-3400 primarily affects Paloaltonetworks Pan-os. In total, 52 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2024-3400?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-3400 have an EU (EUVD) identifier?
Yes. CVE-2024-3400 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-31989. It is also flagged as exploited in the EUVD (since 2024-04-12).
When was CVE-2024-3400 published?
CVE-2024-3400 was published on 2024-04-12 and last updated on 2026-06-17.

References

Affected products (52)

More vulnerabilities in Paloaltonetworks Pan-os

All CVEs affecting Paloaltonetworks Pan-os →

Other CWE-77 (Command Injection) vulnerabilities

Browse all CWE-77 (Command Injection) vulnerabilities →