NAVANEM
CVE-2024-3400⚡ exploited in the wild

Palo Alto Networks PAN-OS GlobalProtect, unauthenticated command injection

A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

Overview

CVE-2024-3400 is a critical unauthenticated command injection vulnerability affecting the GlobalProtect feature in Palo Alto Networks PAN-OS software. The vulnerability allows remote attackers to execute arbitrary commands with root privileges on affected firewalls without any authentication or user interaction. Mass exploitation by a state-aligned threat actor tracked as UTA0218 began in late March 2024, prior to public disclosure.

Technical Details

The vulnerability exists in GlobalProtect's session-cookie handling mechanism. The attack chain involves two distinct components:

  1. Path Traversal / Arbitrary File Write: An attacker crafts a malicious session cookie that PAN-OS writes verbatim to a filesystem path controlled by the attacker.

  2. Command Injection: A separate housekeeping process subsequently passes that file path into a shell context, executing the attacker-controlled content.

Chaining these two behaviors yields unauthenticated root command execution on the firewall. The vulnerability is exploitable only when both GlobalProtect gateway/portal and device telemetry are enabled simultaneously-a common production configuration.

Impact

Successful exploitation grants attackers root-level access to the firewall, which is typically the most privileged node in a network. Consequences include:

  • Complete system compromise: Full control over routing, NAT, and IDS/IPS rules
  • Credential theft: Access to runtime_config.xml containing RADIUS shared secrets, LDAP bind passwords, IPSec PSKs, and master keys
  • Lateral movement: Pivoting to Active Directory and internal networks via management interface routes
  • Persistent access: The threat actor UTA0218 deployed an in-memory Python implant called UPSTYLE that survives firewall commit operations by injecting itself into runtime config checks

Initial targeting was selective, focusing on defense, government, and critical infrastructure sectors. Mass scanning began on April 12, 2024, following the advisory release.

Mitigation

  1. Patch immediately to PAN-OS 10.2.9-h1, 11.0.4-h1, 11.1.2-h3 or later versions
  2. If patching is not immediately possible, disable device telemetry as a temporary workaround to break the exploit chain
  3. Rotate all credentials the firewall could access: RADIUS shared secrets, LDAP bind passwords, IPSec PSKs, certificates, and master keys
  4. Review network segmentation around management interfaces

Detection

Hunt for indicators of compromise documented by Volexity:

  • Anomalous entries in /var/log/pan/sslmgr.log
  • Suspicious files under /opt/panlogs/tmp/device_telemetry
  • Outbound connections to known UTA0218 command-and-control infrastructure
  • Evidence of the UPSTYLE implant in memory or runtime configurations