CVE-2024-3400

Known Exploited Public Exploit
PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect

Description

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Remediation

Solution:

  • We strongly advise customers to immediately upgrade to a fixed version of PAN-OS to protect their devices even when workarounds and mitigations have been applied. This issue is fixed in PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Customers who upgrade to these versions will be fully protected.

Workaround:

  • Recommended Mitigation: Customers with a Threat Prevention subscription can block attacks for this vulnerability using Threat IDs 95187, 95189, and 95191 (available in Applications and Threats content version 8836-8695 and later). Please monitor this advisory and new Threat Prevention content updates for additional Threat Prevention IDs around CVE-2024-3400. To apply the Threat IDs, customers must ensure that vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. Please see https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184 for more information.

Categories

10.0
CVSS
Severity: Critical
CVSS 3.1 •
EPSS 94.34% Top 5%
KEV Since 
Vendor Advisory paloaltonetworks.com Vendor Advisory paloaltonetworks.com Vendor Advisory paloaltonetworks.com
Affected: Palo Alto Networks PAN-OS
Affected: Palo Alto Networks Cloud NGFW
Affected: Palo Alto Networks Prisma Access
Published at:
Updated at:

References

Link Tags
https://security.paloaltonetworks.com/CVE-2024-3400 vendor advisory
https://unit42.paloaltonetworks.com/cve-2024-3400/ vendor advisory exploit technical description
https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ third party advisory exploit technical description
https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/ vendor advisory technical description

Frequently Asked Questions

What is the severity of CVE-2024-3400?
CVE-2024-3400 has been scored as a critical severity vulnerability.
How to fix CVE-2024-3400?
To fix CVE-2024-3400: We strongly advise customers to immediately upgrade to a fixed version of PAN-OS to protect their devices even when workarounds and mitigations have been applied. This issue is fixed in PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Customers who upgrade to these versions will be fully protected.
Is CVE-2024-3400 being actively exploited in the wild?
It is confirmed that CVE-2024-3400 is actively exploited. Be extra cautious if you are using vulnerable components. According to its EPSS score, there is a ~94% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-3400?
CVE-2024-3400 affects Palo Alto Networks PAN-OS, Palo Alto Networks Cloud NGFW, Palo Alto Networks Prisma Access.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.