Keypoints
- CVE-2024-3400 is a CVSS 10 unauthenticated command-injection vulnerability impacting PAN-OS when GlobalProtect gateway or portal is enabled, allowing arbitrary code execution as root.
- Palo Alto Networks confirmed exploitation in the wild in a limited number of attacks and assigned the highest urgency to the issue.
- Affected PAN-OS versions include 11.1 (before 11.1.2-h3), 11.0 (before 11.0.4-h1), and multiple 10.2.x builds (before listed hotfixes); the vendor advisory lists additional affected builds and ETAs for fixes.
- Patches for some versions were released on April 14, 2024; vendors continue to update the advisory and release fixes for more versions.
- If unable to patch immediately, vendors recommend enabling Threat Prevention signature Threat ID 95187 and applying vulnerability protection to GlobalProtect interfaces; disabling device telemetry is NOT an effective mitigation.
- Rapid7 (InsightVM/Nexpose) released authenticated checks to detect vulnerable PAN-OS versions and updated those checks as the vendor expanded the affected-version list.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The vulnerability permits unauthenticated remote exploitation of PAN-OS GlobalProtect components to gain code execution: [‘an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.’]
- [T1059] Command and Scripting Interpreter – The flaw is described as a command-injection vulnerability capable of executing arbitrary commands on the device: [‘Critical Command Injection Vulnerability in Palo Alto Networks Firewalls’]
- [T1068] Exploitation for Privilege Escalation – Successful exploitation results in execution with root privileges on the firewall: [‘execute arbitrary code with root privileges on the firewall.’]
Indicators of Compromise
- [Software versions] Affected PAN-OS builds – PAN-OS 11.1 (before 11.1.2-h3), PAN-OS 11.0 (before 11.0.4-h1), PAN-OS 10.2 (before 10.2.7-h8, 10.2.8-h3, 10.2.9-h1)
- [Detection signature] Vendor Threat ID for blocking/exposure – Threat ID 95187 (Applications and Threats content version 8833-8682)
- [IoC references] External IoC lists referenced – Unit42 blog (contains IoCs), Volexity blog (contains IoCs); article itself does not list specific IPs/hashes/domains but points to those reports for details.
CVE-2024-3400 is a command-injection vulnerability in PAN-OS’ GlobalProtect components that allows unauthenticated remote attackers to execute arbitrary code with root privileges on affected firewalls. Initially the vendor stated device telemetry plus GlobalProtect gateway/portal were required for exposure, but the advisory was updated to confirm device telemetry is not required; Cloud NGFW and Prisma Access are not affected, nor are PAN-OS 10.1/10.0/9.1/9.0 streams.
Affected versions include PAN-OS 11.1 (pre-11.1.2-h3), 11.0 (pre-11.0.4-h1), and specified 10.2.x hotfix ranges; the vendor advisory lists additional builds and ETAs for fixes. Patches for some versions were published on April 14, 2024 — apply vendor-provided fixes immediately. If you cannot patch right away, enable Threat Prevention signature Threat ID 95187 (content version 8833-8682) and ensure vulnerability protection is applied to your GlobalProtect interface to block exploitation attempts.
Review IoCs and attacker behavior in the vendor Unit42 and Volexity reports, run authenticated vulnerability scans (InsightVM/Nexpose content updates released), and open a support case with Palo Alto Networks if you suspect compromise to have logs checked against known IoCs. Do not rely on disabling device telemetry as a mitigation.