A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
The vulnerability results from a combination of arbitrary file creation capability with a command injection flaw (CWE-77) in the GlobalProtect component. An attacker, without any authentication, can craft a network request that results in the creation of a malicious file on the system, followed by execution of embedded system commands with root privileges. The vulnerability affects specific versions of PAN-OS and particular GlobalProtect feature configurations.
The attacker gains full control over the firewall device with root privileges, enabling configuration reading and modification, network traffic interception, lateral movement to the internal network, and permanent compromise of the security infrastructure.
Security patches available from the vendor must be applied immediately in accordance with references published at https://security.paloaltonetworks.com/CVE-2024-3400. Until updates are deployed, it is recommended to verify GlobalProtect configuration and monitor devices for signs of compromise.
Palo Alto Networks PAN-OS — specific versions with active GlobalProtect functionality. The vulnerability does NOT affect Cloud NGFW, Panorama devices, or Prisma Access. Detailed version lists are available in vendor references (security.paloaltonetworks.com/CVE-2024-3400).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HPalo Alto Networks PAN-OS
OSPaloaltonetworks10.2.010.2.110.2.210.2.310.2.410.2.510.2.610.2.710.2.810.2.911.0.011.0.111.0.211.0.311.0.4+ 3 więcej
CISA KEV — detailsi
- Vendori
- Palo Alto Networks ↗
- Producti
- PAN-OS
- Added to KEVi
- April 12, 2024
- Remediation deadline (US Federal)i
- April 19, 2024(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply mitigations per vendor instructions as they become available. Otherwise, users with vulnerable versions of affected devices should enable Threat Prevention IDs available from the vendor. See the vendor bulletin for more details and a patch release schedule.
Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall.
Related vulnerabilities
Buffer overflow RCE z uprawnieniami root w PAN-OS Captive Portal
Authentication bypass w PAN-OS umożliwiający przejęcie uprawnień administratora
When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider C...
Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allo...
A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces tha...