CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect


Our mSOC™ evaluated all devices for managed customers. Preventative and mitigative measures have been rolled out. We have contacted you if further follow up was needed.


Palo Alto Networks published vulnerability CVE-2024-3400 that allows unauthenticated command injection (RCE) in the GlobalProtect feature of Palo Alto Networks PAN-OS software. Specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

Am I vulnerable?

First determine if your firewalls are on an affected version:

  • PAN-OS: Lower than 10.2.7-h8
  • PAN-OS: Lower than 10.2.8-h3
  • PAN-OS: Lower than 10.2.9-h1
  • PAN-OS: Lower than 11.0.2-h4
  • PAN-OS: Lower than 11.0.4-h1
  • PAN-OS: Lower than 11.1.2-h3

Next, determine if firewalls are configured with GlobalProtect gateway or GlobalProtect portal (or both). If yes, you are vulnerable.

What action do I need to take?

  • Upgrade. Upgrade to a fixed version of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, or later. Hotfixes for other commonly deployed maintenance releases will also be made available to address this issue. Please refer to the Security Advisory released by Palo Alto Networks to confirm ETA and hotfix version for the installed maintenance release.
  • Threat Prevention. If you have a Threat Prevention subscription, Threat Prevention can block attacks for this vulnerability using Threat ID 95187, 95189 and 95191 (available in Applications and Threats content version 8835-8689 and later). Monitor the Threat Prevention content updates for additional Threat Prevention IDs around CVE-2024-3400. Also ensure that vulnerability protection has been applied to the GlobalProtect interface to prevent exploitation on devices.

Please refer to this Palo Alto live article for additional information on the configuration actions required to implement vulnerability protection to GlobalProtect interfaces.

Is this vulnerability being actively exploited?

There are reports that this vulnerability is currently actively used in attacks.

What caused the change in scope of affected devices?

On April 12th, Palo Alto Networks first publicly disclosed details about CVE-2024-3400. Accordingly, ON2IT took mitigative actions to monitor and protect our customers.

On April 16th, Palo Alto Networks added details that one of the criteria (having device telemetry enabled) formerly listed was not a requirement for exploiting this CVE. This resulted in a scope increase of potentially affected devices for this vulnerability.

Read this article on tips on understanding CVE-2024-3400 exploits

I am an ON2IT customer, but ON2IT did not contact me. Can you confirm I am not vulnerable?

Our mSOC™ evaluated all devices for managed customers. Preventative and mitigative measures have been rolled out. We have contacted you if further follow up was needed.

For all ON2IT managed customers, the mSOC™ implemented additional monitoring measures to detect exploit attempts. We do expect increased attempts to exploit this CVE in the wild.

I am an ON2IT customer (or want to become one) and need support on this

Please do not hesitate to call our 24/7 available SOC if you need support:


2024-05-06 16:52

Updated CVE-2024-3400 FAQ

2024-04-18 10:07

Updated CVE-2024-3400 FAQ

2024-04-17 15:34

Created CVE-2024-3400 FAQ