CVE-2024-3400

Name of the Vulnerable Software and Affected Versions Palo Alto Networks PAN-OS versions 10.2, 11.0, and 11.1

Description Palo Alto Networks PAN-OS GlobalProtect contains a command injection vulnerability (CVE-2024-3400) that allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability is due to a flaw in the GlobalProtect feature and involves arbitrary file creation. The vulnerability has been actively exploited in the wild since March 26, 2024, with some reports indicating potential state-sponsored activity. Attackers have been observed using a Python backdoor (UPSTYLE) to establish persistence and exfiltrate data. Approximately 22,500 to 133,000 devices are estimated to be potentially vulnerable. The vulnerability has a CVSS score of 10.0, indicating critical severity.

Recommendations Apply the hotfixes released by Palo Alto Networks to address CVE-2024-3400. Prior to patching, generate a full tech support file of your Palo firewalls to preserve artifacts for compromise detection.