A critical vulnerability, designated as CVE-2024-3400, has been identified within the GlobalProtect component of Palo Alto Networks’ PAN-OS. This zero-day flaw is classified under CWE-77 (Command Injection) due to improper neutralization of special elements used in commands. The exploitation of this vulnerability enables an unauthenticated, remote attacker to execute arbitrary code with root privileges on affected devices.

Vulnerability Details

The vulnerability affects several versions of PAN-OS, specifically 10.2, 11.0, and 11.1. Initially thought to require both the GlobalProtect gateway or portal and device telemetry to be enabled, it was later clarified that telemetry does not need to be enabled for the vulnerability to be exploited.

Exploitation in the Wild

CVE-2024-3400 has been actively exploited in the wild in a number of sophisticated attacks. Attackers have leveraged this vulnerability to gain complete control over affected firewalls, facilitating further network intrusion and data exfiltration activities. The involvement of state-sponsored threat actors has been suggested, with groups using sophisticated backdoors and lateral movement techniques post-exploitation.

Mitigation and Remediation

Palo Alto Networks has released patches and updates for the affected versions of PAN-OS. Users are strongly advised to update to the fixed versions:

  • PAN-OS 10.2.9-h1
  • PAN-OS 11.0.4-h1
  • PAN-OS 11.1.2-h3

In addition to patching, the application of threat prevention signatures (Threat IDs 95187, 95189, and 95191) can help mitigate the risks associated with this vulnerability.


Organizations using the affected products should prioritize applying the provided patches and ensure all security measures are up-to-date. Monitoring for unusual activity and further securing gateway and perimeter devices are crucial to preventing potential breaches.

Further Reading

This critical vulnerability highlights the need for constant vigilance and prompt action in the face of emerging cyber threats. Organizations are encouraged to review their cybersecurity posture regularly and respond swiftly to advisories concerning vulnerabilities within their operational environments.