Emerging Threat

PaloAlto GlobalProtect: Emerging Threat published on Risk Ledger

Learn about the latest emerging threat - Palo Alto GlobalProtect vulnerability that was detailed on April 10, 2024.

PaloAlto GlobalProtect: Emerging Threat published on Risk LedgerPaloAlto GlobalProtect: Emerging Threat published on Risk Ledger

UPDATE: 16-17 April - Rapid7 tech analysis

Source: Rapid7 - CVE-2024-3400

❗❗ Note:The vendor advisory originally indicated that device telemetry needed to be enabled in addition to GlobalProtect Portal or Gateway; as of April 16, the advisory notes that “Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.” Disabling device telemetry is also no longer considered an effective mitigation.

Rapid7’s analysis identified that this vulnerability is an exploit chain, consisting of two distinct vulnerabilities:

  • an arbitrary file creation vulnerability in the GlobalProtect web server, for which no discrete CVE has been assigned, and
  • a command injection vulnerability in the device telemetry feature, designated as CVE-2024-3400.
    • If device telemetry is disabled, it is still possible to leverage the file creation vulnerability.

Analysis also found that when device telemetry is enabled, a device certificate must be installed for device telemetry to successfully transmit telemetry data back to Palo Alto Networks. This transmission of data functionality is where the command injection vulnerability lies.  During testing to date, the command injection vulnerability could not be triggered without a valid device certificate installed. Transmission of telemetry data only occurs once an hour, per the vendor documentation.

The current vulnerability lies with insecure handling of a SESSID cookie string enabling file creation and command injection in the context of a Linux shell in the GlobalProtect web server.

What can be inferred from Rapid7’s analysis is that although the arbitrary file creation vulnerability was reasonably easy to identify, finding a way to meaningfully exploit that advantage with command injection will have involved significant research and development, probably by someone with access to a PaloAlto GlobalProtect product.

This Rapid7 analysis is publicly available - and replicates the methods used by malware creators to reverse engineer patches to identify how unpatched systems can be exploited.  We may see a surge in exploitation attempts - or development of adjacent vulnerabilities and exploits inspired by this analysis.

Patches are available from the vendor and should be applied urgently. If you are unable to apply patches, apply one of the vendor-supplied mitigations on an emergency basis. Please see the vendor advisory for further information.

Original blog post (15 April 2024)

A command injection vulnerability CVE-2024-3400 in the GlobalProtect feature of PaloAlto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

PaloAlto have listed vulnerable versions of the product and advised patches and mitigations.

The vulnerability has a CVSSv4.0 Base Score: 10 (Critical)

Exploitation has been observed from 27th March: Some instances may have already been compromised. Customers are advised to open a case in the Palo Alto Customer Support Portal (CSP) and upload a technical support file (TSF) to determine if their device logs match known indicators of compromise (IoC) for this vulnerability.

Threat Description

On April 10, 2024, Volexity identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of PaloAlto Networks PAN-OS.

The threat actor, which Volexity tracks under the alias UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device.

As Volexity broadened its investigation, it discovered successful exploitation at multiple other customers and organisations dating back to March 26, 2024. Those attempts appear to be the threat actor testing the vulnerability by placing zero-byte files on firewall devices to validate exploitability. On April 10, 2024, UTA0218 was observed exploiting firewall devices to successfully deploy malicious payloads. The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organisations.

A timeline associated with the discovery and subsequent activities can be found in Volexity’s full threat research description here.


The threat is applicable to any organisations that make use of the GlobalProtect VPN feature of PAN-OS, which includes US federal agencies as well as both blue chip enterprises and smaller businesses globally. The number of potentially vulnerable devices ranges from 40K (Shodan) to 133K (Censys).

PaloAlto’s advisory clarifies the status of products in scope: This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) with device telemetry enabled.

Relevance to the Supply Chain

It is important to understand the extent to which your supply chain is affected by this threat, particularly the potential impact from third parties that may use the PaloAlto GlobalProtect gateways or portals. Threat actors may have already exploited these gateways and gained access to underlying supplier systems for data exfiltration or destruction.

What should you do about it

There are immediate actions you should take to protect yourself from this threat.

If you are a PaloAlto customer with GlobalProtect gateways or portals in your environment:

  1. Identify which versions of the product your organisation uses.
  2. Determine whether your product is vulnerable using the Product Status list in this article:
  3. Open a case in the Palo Alto Customer Support Portal (CSP):
    • Upload a technical support file (TSF) to determine if your device logs match known indicators of compromise (IoC) for this vulnerability.
    • If any IoCs are found, follow your Incident Response policies to determine the potential impact on your organisation and your customers.
  4. Apply PaloAlto’s recommended workarounds and mitigations to any vulnerable instances.
  5. Suppliers can self-report their status by logging into Risk Ledger.

If you are a Risk Ledger customer:

  • You can use the Emerging Threat report to monitor whether your suppliers' response to this threat includes any mitigation actions in progress.

Where to find more information

This is an evolving situation. You can keep up to date with the latest information on this threat by following PaloAlto’s advisory.

Emerging Threat

Download for free

By submitting this form, you agree to Risk Ledger’s Terms of Service, Privacy Policy, and Risk Ledger contacting you.

Thank you!
Oops! Something went wrong while submitting the form.
Emerging Threat

Download for free

Pattern Trapezoid Mesh

Join our growing community

Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.