CVE-2024-3400

Name of the Vulnerable Software and Affected Versions Palo Alto Networks PAN-OS versions 10.2, 11.0, and 11.1

Description Palo Alto Networks PAN-OS GlobalProtect feature is affected by a critical command injection vulnerability (CVE-2024-3400) with a CVSS score of 10.0. This vulnerability allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability stems from a path traversal leading to arbitrary file creation and subsequent command injection. Exploitation of this vulnerability has been observed in the wild since March 26, 2024, with threat actors potentially using it for reconnaissance, data exfiltration, and establishing persistence. The vulnerability affects devices with GlobalProtect enabled and telemetry features active. Attackers have been observed exploiting this vulnerability to deploy malicious payloads, including Python-based backdoors. Approximately 24,000 IP addresses have been observed probing for vulnerable devices.

Recommendations Apply the hotfixes released by Palo Alto Networks to address CVE-2024-3400. Prioritize patching vulnerable systems. Consider generating a full tech support file of your Palo firewalls before patching to preserve artifacts for compromise detection.