⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply mitigations per vendor instructions as they become available. Otherwise, users with vulnerable versions of affected devices should enable Threat Prevention IDs available from the vendor. See the vendor bulletin for more details and a patch release schedule.. Due date: 2024-04-19.

CVE-2024-3400 — PAN-OS RCE: Improper Input Validation in PAN-OS GlobalProtect

CWE-20 — Improper Input Validation CWE-77 — Command Injection30 documents18 sources

Severity

10.0CRITICALNVD

EPSS

94.3%

top 0.06%

CISA KEV

KEVRansomware

Added 2024-04-12

Due 2024-04-19

Exploit

Exploited in wild

Active exploitation observed

Affected products

Palo Alto Networks Pan-os Paloaltonetworks Pan-os Paloalto Cloud Ngfw +2 more

Timeline

PublishedApr 12

KEV addedApr 12

KEV dueApr 19

Latest updateJan 12

CISA Required Action: Apply mitigations per vendor instructions as they become available. Otherwise, users with vulnerable versions of affected devices should enable Threat Prevention IDs available from the vendor. See the vendor bulletin for more details and a patch release schedule.

Description

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages5 packages

▶Palo Altopaloalto/cloud_ngfw

▶Palo Altopaloalto/prisma_access

▶CVEListV5palo_alto_networks/pan-os10.2.0 — 10.2.9-h1+2

▶NVDpaloaltonetworks/pan-os18 versions+17

▶Palo Altopaloalto/pan-os

🔴Vulnerability Details

CVEList

PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect↗2024-04-12

▶

GHSA

GHSA-v475-xhc9-wfxg: A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature↗2024-04-12

▶

VulnCheck

Palo Alto Networks PAN-OS Command Injection Vulnerability↗2024

▶

💥Exploits & PoCs

Exploit-DB

Palo Alto PAN-OS < v11.1.2-h3 - Command Injection and Arbitrary File Creation↗2024-04-21

▶

Nuclei

GlobalProtect - OS Command Injection

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Palo Alto GlobalProtect Directory Traversal in Session Cookie (CVE-2024-3400)↗2025-10-02

▶

Suricata

ET WEB_SPECIFIC_APPS Palo Alto GlobalProtect Session Cookie Command Injection Attempt (CVE-2024-3400)↗2024-04-16

▶

Suricata

ET MALWARE Possible UPSTYLE Command Attempt↗2024-04-12

▶

📋Vendor Advisories

CISA

Palo Alto Networks PAN-OS Command Injection Vulnerability↗2024-04-12

▶

Palo Alto

PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect↗2024-04-12

▶

🕵️Threat Intelligence

Bleepingcomputer

CISA urges devs to weed out OS command injection vulnerabilities↗2024-07-10

▶

Volexity

Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices↗2024-05-15

▶

Volexity

Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices↗2024-05-15

▶

Bleepingcomputer

22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks↗2024-04-19

▶

Bleepingcomputer

Exploit released for Palo Alto PAN-OS bug used in attacks, patch now↗2024-04-16

▶

📐Framework References

ATT&CK

UPSTYLE↗

▶

ATT&CK

Operation MidnightEclipse↗

▶

💬Community

HackerOne

GlobalProtect - OS Command Injection #█████████↗2026-01-12

▶