CVE-2024-3400
CVE-2024-3400 is a critical-severity vulnerability in Paloaltonetworks Pan-os with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-04-12). The underlying weakness is classified as CWE-77.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-04-12)
- EU (EUVD) id: EUVD-2024-31989
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-04-12)
- Weakness: CWE-77
- Affected product: Paloaltonetworks Pan-os
- Published:
- Last modified:
Description
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
CVE-2024-3400: Palo Alto Networks PAN-OS GlobalProtect Unauthenticated Command Injection
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-3400 |
| CVSS v3.1 | 10.0 Critical |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| EPSS | 0.99999 (100th percentile) |
| CWE | CWE-77 — Command Injection |
| KEV | Yes (CISA KEV, 2024-04-12) |
| Published | 2024-04-12 |
| Vendor | Palo Alto Networks |
| Product | PAN-OS — GlobalProtect feature |
Summary
A command-injection vulnerability exists in the GlobalProtect feature of Palo Alto Networks PAN-OS. An unauthenticated attacker can exploit this flaw to execute arbitrary commands with root privileges on the firewall. The vulnerability has been actively exploited in the wild since its disclosure and is associated with ransomware campaigns.
Background
PAN-OS is the operating system that powers Palo Alto Networks' next-generation firewalls. The GlobalProtect feature provides VPN and remote-access capabilities, exposing a network-facing portal and gateway interface. Because GlobalProtect must handle external requests from potentially untrusted endpoints, it represents a significant attack surface. CVE-2024-3400 resides in the way PAN-OS processes certain GlobalProtect network requests, specifically when the device is configured with both the GlobalProtect gateway and GlobalProtect portal features enabled.
Root Cause
The vulnerability is classified as CWE-77: Improper Neutralization of Special Elements used in a Command ("Command Injection"). The root cause stems from insufficient input validation when handling network requests in the GlobalProtect component. Specifically, an attacker can manipulate requests to trigger arbitrary file creation on the filesystem. This file creation capability is then leveraged to inject and execute operating-system commands as the root user. The combination of arbitrary file write with command injection effectively converts a file-creation primitive into unauthenticated remote code execution.
Impact
The CVSS 3.1 score of 10.0 (Critical) reflects the maximum severity:
- Attack Vector (AV:N) — Exploitable over the network; no local access required.
- Attack Complexity (AC:L) — Low complexity; no special conditions beyond a reachable GlobalProtect interface.
- Privileges Required (PR:N) — No authentication needed.
- User Interaction (UI:N) — None required.
- Scope (S:C) — Changed; a compromised firewall can impact resources beyond its own security boundary.
- Confidentiality (C:H), Integrity (I:H), Availability (A:H) — Complete compromise of the device.
Because firewalls are security control points, full root compromise can lead to traffic interception, lateral movement, and persistence within the protected network.
Exploitation Walkthrough
Ethics Notice: The following description is provided for defensive awareness only. Do not attempt unauthorized exploitation. Testing should be performed only on systems you own or have explicit written permission to assess.
The exploitation chain conceptually proceeds as follows:
- Reconnaissance — Identify an exposed PAN-OS GlobalProtect gateway or portal on TCP/443.
- Arbitrary File Creation — Send a crafted network request that causes PAN-OS to write attacker-controlled content to a predictable filesystem location. This primitive arises from improper handling of request parameters within the GlobalProtect service.
- Command Injection — Leverage the created file to influence subsequent command execution. Because PAN-OS processes certain file paths or contents within shell commands or system calls without adequate sanitization, the attacker achieves command injection.
- Root Execution — The injected commands execute with root privileges, granting full administrative control over the firewall.
Palo Alto Networks' Unit 42 and Volexity have both confirmed active exploitation in the wild, with adversaries achieving persistent access and deploying tooling for post-exploitation activity.
Affected and Patched Versions
Affected (based on CPE data from NVD):
- PAN-OS 10.2 (multiple builds including 10.2.0 through 10.2.9 and associated hotfixes)
- PAN-OS 11.0 (multiple builds including 11.0.0 through 11.0.4 and associated hotfixes)
- PAN-OS 11.1 (multiple builds including 11.1.0 through 11.1.2 and associated hotfixes)
Not Affected:
- Cloud NGFW
- Panorama appliances
- Prisma Access
Patched Versions:
Palo Alto Networks released security patches and hotfixes for affected PAN-OS versions. Administrators should consult the official Palo Alto Networks security advisory for the exact patched build numbers and upgrade paths.
Remediation
- Upgrade Immediately — Apply the latest patched PAN-OS version provided by Palo Alto Networks for your release train. Given the Critical CVSS score, active exploitation, and ransomware association, this should be treated as an emergency change.
- Compensating Controls — Until patching is complete:
- Restrict GlobalProtect portal and gateway exposure to trusted IP ranges via perimeter access controls or geoblocking.
- Ensure the GlobalProtect gateway and portal are not both enabled on the same device if not required (the vulnerability requires both features to be active).
- Monitor firewall logs for anomalous GlobalProtect connection attempts and unexpected filesystem or process activity.
- Verify Patch — After upgrading, confirm the running PAN-OS version matches a patched build and re-enable any temporarily restricted access only after validation.
Detection
- Network: Monitor for unusual connection patterns to GlobalProtect interfaces, especially from unexpected geolocations or anonymization services.
- Endpoint/Host: On the firewall itself, audit for unexpected files in web-accessible or temp directories, unauthorized cron jobs, or new processes spawning from the GlobalProtect service context.
- Logs: Correlate GlobalProtect access logs with authentication events; anomalous pre-authentication behavior may indicate exploitation attempts.
- Threat Intelligence: Leverage IOCs published by Unit 42 and CISA to hunt for known post-exploitation artifacts.
Assessment
With an EPSS of 0.99999 (100th percentile) and confirmed inclusion in the CISA KEV catalog since 2024-04-12, CVE-2024-3400 represents one of the highest-probability threats in the disclosed vulnerability landscape. The combination of unauthenticated network access, trivial attack complexity, and root-level impact makes this a textbook "patch now" vulnerability. The confirmed association with ransomware operations underscores that exploitation is not theoretical—it is occurring at scale. Security teams should prioritize this above routine patching workflows and consider emergency response procedures if affected devices are Internet-facing.
Key Lessons:
- Network-facing security appliances require the same rigorous input-validation standards as any other application; a vulnerability in a firewall OS can invert the entire security model of a network.
- The "Scope: Changed" CVSS metric is particularly relevant here: compromising the firewall grants the attacker a privileged position from which to inspect or modify traffic for all downstream assets.
References
- https://security.paloaltonetworks.com/CVE-2024-3400
- https://unit42.paloaltonetworks.com/cve-2024-3400/
- https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-3400
Frequently asked questions
- What is CVE-2024-3400?
- A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
- How severe is CVE-2024-3400?
- CVE-2024-3400 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-3400 being actively exploited?
- Yes. CVE-2024-3400 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-04-12, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-3400?
- CVE-2024-3400 primarily affects Paloaltonetworks Pan-os. In total, 52 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-3400?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-3400 have an EU (EUVD) identifier?
- Yes. CVE-2024-3400 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-31989. It is also flagged as exploited in the EUVD (since 2024-04-12).
- When was CVE-2024-3400 published?
- CVE-2024-3400 was published on 2024-04-12 and last updated on 2026-06-17.
References
- https://security.paloaltonetworks.com/CVE-2024-3400
- https://unit42.paloaltonetworks.com/cve-2024-3400/
- https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-3400
Affected products (52)
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h1:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h2:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h1:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h2:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h4:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h11:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h12:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h2:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h4:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h9:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h1:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h4:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h1:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h3:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h6:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h1:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h2:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h2:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h3:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:-:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h1:*:*:*:*:*:*
- cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h2:*:*:*:*:*:*
More vulnerabilities in Paloaltonetworks Pan-os
- CVE-2020-2021 — Critical (CVSS 10.0): When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider…
- CVE-2019-17440 — Critical (CVSS 10.0): Improper restriction of communications to Log Forwarding Card (LFC) on PA-7000 Series devices with second-generation…
- CVE-2012-6603 — Critical (CVSS 10.0): The web management UI in Palo Alto Networks PAN-OS before 3.1.12, 4.0.x before 4.0.10, and 4.1.x before 4.1.4 allows…
- CVE-2012-6601 — Critical (CVSS 10.0): The device-management command-line interface in Palo Alto Networks PAN-OS before 3.1.12, 4.0.x before 4.0.10, and 4.1.x…
- CVE-2012-6593 — Critical (CVSS 10.0): Palo Alto Networks PAN-OS before 3.1.10 and 4.0.x before 4.0.4 allows remote attackers to execute arbitrary commands…
- CVE-2012-6592 — Critical (CVSS 10.0): Palo Alto Networks PAN-OS before 3.1.10 and 4.0.x before 4.0.5 allows remote attackers to execute arbitrary commands…
All CVEs affecting Paloaltonetworks Pan-os →
Other CWE-77 (Command Injection) vulnerabilities
- CVE-2026-23652 — Critical (CVSS 10.0): Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an…
- CVE-2025-59818 — Critical (CVSS 10.0): This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying system using the file…
- CVE-2025-64093 — Critical (CVSS 10.0): Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the…
- CVE-2025-64090 — Critical (CVSS 10.0): This vulnerability allows authenticated attackers to execute commands via the hostname of the device.
- CVE-2025-61492 — Critical (CVSS 10.0): A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to…
- CVE-2025-10035 — Critical (CVSS 10.0): A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged…