CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 13 min read

CVE-2024-3400 Explained: Palo Alto PAN-OS GlobalProtect Command Injection (CVSS 10.0)

A zero-day OS command injection in Palo Alto's GlobalProtect gateway exploited by a state-sponsored threat actor before any patch existed. One unauthenticated HTTP request. Root-level shell on the firewall.

Sources:NVD|Palo Alto Networks Security Advisory PAN-SA-2024-0006|Volexity, Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)|Unit 42 Threat Brief: Operation MidnightEclipse|CISA Advisory AA24-109A
10.0
CVSS Score
0-day
Exploited before patch
Root
Privilege level achieved
None
Authentication required

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2024-3400 is an OS command injection vulnerability in Palo Alto Networks PAN-OS scoring CVSS 10.0. It affects the GlobalProtect gateway and portal, the internet-facing VPN and remote access component present on Palo Alto firewalls deployed at tens of thousands of enterprise and government perimeters globally. An unauthenticated attacker sends a single HTTP request containing a crafted SESSID cookie value; PAN-OS passes the value unsanitised into an OS command execution context, achieving root-level code execution on the firewall.

The vulnerability was exploited as a zero-day for at least 17 days before Palo Alto released patches on April 14, 2024. Volexity attributed the exploitation to a state-sponsored threat actor tracked as UTA0218, which deployed a custom Python backdoor named UPSTYLE on compromised devices and exfiltrated configuration data and credentials. CISA added CVE-2024-3400 to the Known Exploited Vulnerabilities catalog the same day as the patch, with a federal remediation deadline of April 19, 2024.

How CVE-2024-3400 Works: Cookie Value to Root Shell

GlobalProtect is Palo Alto's remote access VPN solution, integrated directly into PAN-OS and exposed on the internet-facing interface of the firewall. The vulnerability exists in how GlobalProtect processes the SESSID cookie value in HTTP requests sent to the gateway or portal endpoint.

PAN-OS takes the SESSID value and incorporates it into a shell command without sanitisation. By embedding OS command metacharacters (such as semicolons, backticks, or dollar-sign subshell expressions) into the cookie value, an attacker causes the firewall to execute arbitrary commands as the root user, the highest privilege level on the device. The command runs in the context of the PAN-OS management plane.

The attack requires no authentication token, no valid session, and no prior interaction with the device. Any HTTP request to the GlobalProtect endpoint with a malicious cookie value is sufficient. Because GlobalProtect is internet-facing by design, the attack surface is the public internet.

1

Identify GlobalProtect-enabled Palo Alto devices

Scan for devices responding to GlobalProtect portal or gateway HTTP endpoints. The GlobalProtect login page is publicly accessible on internet-facing Palo Alto firewall interfaces. Shodan indexes tens of thousands of such devices.

2

Send crafted HTTP request with malicious SESSID cookie

Send an unauthenticated HTTP POST to the GlobalProtect endpoint with a SESSID cookie value containing OS command metacharacters and a payload, such as a curl command fetching a reverse shell from an attacker-controlled server.

3

Command executes as root on PAN-OS

PAN-OS incorporates the unsanitised cookie value into a shell command. The injected command executes immediately with root privileges on the management plane of the firewall.

4

Deploy UPSTYLE backdoor for persistence

UTA0218 deployed UPSTYLE, a Python-based backdoor that installs as a systemd service and parses incoming packets for encoded commands. This survives device restarts and is difficult to distinguish from legitimate PAN-OS processes.

5

Exfiltrate configuration and pivot

With root access to the firewall, attackers extract the running configuration (containing all firewall rules, VPN credentials, and certificate private keys), harvest internal routing tables, and use the device as a pivot point for internal network access.

Who Exploited CVE-2024-3400 and What They Targeted

Volexity attributed the zero-day exploitation to UTA0218, a threat actor assessed with moderate confidence as state-sponsored based on the tradecraft, targets, and operational tempo observed. Targeted organisations included US government agencies, defence contractors, telecommunications providers, and critical infrastructure operators.

UTA0218's operational objectives during the zero-day window included exfiltrating PAN-OS configuration files containing firewall rules and plaintext credentials, deploying UPSTYLE for persistent access, harvesting Kerberos credentials via NTLM data accessible through the compromised device, and installing OpenSSH backdoors on internal systems reachable from the firewall. In several confirmed cases, UTA0218 pivoted from the compromised firewall to internal domain controllers within hours of initial compromise.

UTA0218 was focused on exfiltrating data from the device itself as well as leveraging the device as an entry point to further target the victims' internal networks.

Volexity, Operation MidnightEclipse (April 2024)
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Patching and Fully Remediating CVE-2024-3400

Patching the device closes the exploitation path but does not evict an already-present UPSTYLE backdoor or undo credentials and configurations already extracted. Remediation has three mandatory components.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Indicators of Compromise for CVE-2024-3400 / UPSTYLE

Volexity and Unit 42 published IOC sets for UPSTYLE and UTA0218 infrastructure. Key detection points follow.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2024-3400 is the defining perimeter vulnerability of 2024. A CVSS 10.0 unauthenticated RCE in a firewall, the device that is supposed to be the first line of defence, is a category-level failure. The exploitation timeline is the most important lesson: UTA0218 had operational access to compromised networks for up to 17 days before any patch existed, during which they extracted configurations, pivoted to internal systems, and installed persistent backdoors.

Palo Alto is one of the most widely deployed enterprise firewall platforms in the world. If your organisation runs PAN-OS with GlobalProtect enabled and has not verified upgrade to the patched version, patching is the immediate priority. If you were running a vulnerable version during the pre-patch window, treat the device as compromised until you have completed an IOC investigation, rotated all referenced credentials, and confirmed the absence of UPSTYLE or similar backdoors. Patching alone is insufficient if the exploitation window was already used.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2024-3400?

CVE-2024-3400 is a CVSS 10.0 OS command injection vulnerability in Palo Alto Networks PAN-OS. An unauthenticated attacker sends a crafted HTTP request containing a malicious SESSID cookie to the GlobalProtect gateway or portal, causing PAN-OS to execute arbitrary OS commands as root. No authentication, no user interaction, and no prior access are required.

Which PAN-OS versions are affected by CVE-2024-3400?

Affected versions: PAN-OS 10.2 (< 10.2.9-h1), PAN-OS 11.0 (< 11.0.4-h1), PAN-OS 11.1 (< 11.1.2-h3). The device must have GlobalProtect gateway or GlobalProtect portal enabled. PAN-OS 10.1 and earlier are not affected. Prisma Access is not affected.

Was CVE-2024-3400 exploited as a zero-day?

Yes. Volexity first identified exploitation on April 10, 2024. Retrospective analysis confirmed exploitation began as early as March 26, 2024, more than two weeks before Palo Alto released the patch. The threat actor (UTA0218) deployed a custom Python backdoor called UPSTYLE across compromised devices during this window.

How do I fix CVE-2024-3400?

Upgrade to PAN-OS 10.2.9-h1, 11.0.4-h1, or 11.1.2-h3 or later. If GlobalProtect is not in use, disable the feature entirely. As a temporary mitigation before patching, Palo Alto published a Threat Prevention signature (Threat ID 95187) that can be enabled on devices with an active Threat Prevention license. This blocks the known exploit pattern but is not a substitute for patching.

What is the UPSTYLE backdoor?

UPSTYLE is a Python-based backdoor deployed by UTA0218 on CVE-2024-3400-compromised PAN-OS devices. It runs as a systemd service, parses incoming network packets for encoded commands, and executes them while writing output to a file that is then served via the web interface. It is designed to blend with legitimate PAN-OS traffic and survive device restarts.

How do I detect if my device was compromised via CVE-2024-3400?

Run Palo Alto's PAN Assurance Assessment to check for known IOCs. Look for unexpected Python processes launched as children of the PAN-OS web server process, files created or modified in /opt/pancfg/mgmt/licenses/ or /usr/lib/python3.6/lib-dynload/, and anomalous outbound connections from the management plane. Palo Alto published a detailed IOC list in their Unit 42 Operation MidnightEclipse threat brief.

Sources & references

  1. NVD
  2. Palo Alto Networks Security Advisory PAN-SA-2024-0006
  3. Volexity, Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)
  4. Unit 42 Threat Brief: Operation MidnightEclipse
  5. CISA Advisory AA24-109A

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.