Palo Alto PAN-OS GlobalProtect Command Injection (CVE-2024-3400)
CVE-2024-3400 is a critical unauthenticated remote code execution vulnerability (CVSS 10.0) in Palo Alto Networks PAN-OS GlobalProtect gateway. A command injection flaw in the GlobalProtect feature allows an unauthenticated attacker to execute arbitrary OS commands as root by sending specially crafted HTTPS requests. Actively exploited in the wild as part of Operation MidnightEclipse by threat actor UTA0218, attackers have deployed a Python-based backdoor (UPSTYLE) and conducted lateral movement. Affected versions include PAN-OS 10.2.x < 10.2.9-h1, 11.0.x < 11.0.4-h1, and 11.1.x < 11.1.2-h3.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Palo Alto Networks
- Product
- PAN-OS, GlobalProtect
- Versions
- PAN-OS 10.2.x < 10.2.9-h1, PAN-OS 11.0.x < 11.0.4-h1, PAN-OS 11.1.x < 11.1.2-h3
Weakness (CWE)
Timeline
- Disclosed
- April 12, 2024
- Patched
- April 14, 2024
References & Proof of Concept
- https://nvd.nist.gov/vuln/detail/CVE-2024-3400
- https://security.paloaltonetworks.com/CVE-2024-3400
- https://unit42.paloaltonetworks.com/cve-2024-3400/
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
What is CVE-2024-3400 Palo Alto PAN-OS GlobalProtect Command Injection (CVE-2024-3400)?
Palo Alto PAN-OS GlobalProtect Command Injection (CVE-2024-3400) (CVE-2024-3400) maps to the Initial Access and Execution and Persistence and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Palo Alto PAN-OS GlobalProtect Command Injection (CVE-2024-3400), covering the data sources and telemetry it touches: CommonSecurityLog, Syslog, DeviceNetworkEvents, AzureFirewallNetworkRule. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let suspiciousPaths = dynamic(['/ssl-vpn/hipreport.esp', '/global-protect/portal/css/bootstrap.min.css', '/global-protect/portal/js/']);
let knownBadIPs = dynamic([]);
union
(
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "PAN-OS"
| where Activity has_any ("globalprotect", "sslvpn")
| where Message has_any ("cmd", "shell", "python", "wget", "curl", "chmod", "/bin/sh", "base64")
| where RequestURL has_any (suspiciousPaths)
| project TimeGenerated, DeviceAction, SourceIP, DestinationIP, RequestURL, Message, DeviceVersion, Activity
),
(
Syslog
| where Facility == "daemon"
| where SyslogMessage has "GlobalProtect"
| where SyslogMessage has_any ("cmd", "/tmp/", "python3", "wget", "curl", ".sh", "base64", "chmod +x")
| project TimeGenerated, HostName, SyslogMessage
),
(
DeviceNetworkEvents
| where RemoteUrl has_any (suspiciousPaths)
| where InitiatingProcessFileName in~ ("python3", "python", "sh", "bash", "wget", "curl")
| where DeviceName has_any ("panos", "gp-gateway", "panorama")
| project TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine
)
| extend SuspiciousIndicator = "CVE-2024-3400 GlobalProtect RCE"
| order by TimeGenerated descDetects exploitation attempts of CVE-2024-3400 by correlating PAN-OS/GlobalProtect logs for command injection indicators, suspicious process execution from the gateway daemon, and anomalous outbound connections from known GlobalProtect paths.
Data Sources
Required Tables
False Positives
- Legitimate Palo Alto administrators running diagnostic scripts via CLI may produce similar syslog entries
- Automated vulnerability scanners probing GlobalProtect endpoints may trigger URL-pattern matches
- PAN-OS software updates or HA synchronization tasks may invoke Python or shell processes
Sigma rule & cross-platform mapping
The detection logic for Palo Alto PAN-OS GlobalProtect Command Injection (CVE-2024-3400) (CVE-2024-3400) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2024-3400
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2024-3400 SESSID Command Injection Probe
Expected signal: PAN-OS traffic log entry with URI /ssl-vpn/hipreport.esp, HTTP 200 or 500 response; system log entry referencing unexpected file path in SESSID parameter
- Test 2UPSTYLE Backdoor Artifact Simulation
Expected signal: File creation event at /opt/panlogs/tmp/device_telemetry/threading/bootstrap.min.css; Python3 process launch from lab shell
- Test 3GlobalProtect Path Enumeration with Command Keywords
Expected signal: Network flow logs showing HTTPS GET requests to /global-protect/* and /ssl-vpn/* paths from the test host; URL parameters containing base64-encoded strings
- Test 4Post-Exploitation Outbound Beacon Simulation
Expected signal: Process telemetry shows python3 making outbound HTTP connections; network telemetry shows repeated periodic connections to the same destination IP from the firewall management process context
Unlock Pro Content
Get the full detection package for CVE-2024-3400 including response playbook, investigation guide, and atomic red team tests.