CVE-2024-3400 Explained: Palo Alto PAN-OS GlobalProtect Command Injection (CVSS 10.0)
A zero-day OS command injection in Palo Alto's GlobalProtect gateway exploited by a state-sponsored threat actor before any patch existed. One unauthenticated HTTP request. Root-level shell on the firewall.
CVE-2024-3400 is an OS command injection vulnerability in Palo Alto Networks PAN-OS scoring CVSS 10.0. It affects the GlobalProtect gateway and portal — the internet-facing VPN and remote access component present on Palo Alto firewalls deployed at tens of thousands of enterprise and government perimeters globally. An unauthenticated attacker sends a single HTTP request containing a crafted SESSID cookie value; PAN-OS passes the value unsanitised into an OS command execution context, achieving root-level code execution on the firewall.
The vulnerability was exploited as a zero-day for at least 17 days before Palo Alto released patches on April 14, 2024. Volexity attributed the exploitation to a state-sponsored threat actor tracked as UTA0218, which deployed a custom Python backdoor named UPSTYLE on compromised devices and exfiltrated configuration data and credentials. CISA added CVE-2024-3400 to the Known Exploited Vulnerabilities catalog the same day as the patch, with a federal remediation deadline of April 19, 2024.
How CVE-2024-3400 Works: Cookie Value to Root Shell
GlobalProtect is Palo Alto's remote access VPN solution, integrated directly into PAN-OS and exposed on the internet-facing interface of the firewall. The vulnerability exists in how GlobalProtect processes the SESSID cookie value in HTTP requests sent to the gateway or portal endpoint.
PAN-OS takes the SESSID value and incorporates it into a shell command without sanitisation. By embedding OS command metacharacters (such as semicolons, backticks, or dollar-sign subshell expressions) into the cookie value, an attacker causes the firewall to execute arbitrary commands as the root user — the highest privilege level on the device. The command runs in the context of the PAN-OS management plane.
The attack requires no authentication token, no valid session, and no prior interaction with the device. Any HTTP request to the GlobalProtect endpoint with a malicious cookie value is sufficient. Because GlobalProtect is internet-facing by design, the attack surface is the public internet.
Identify GlobalProtect-enabled Palo Alto devices
Scan for devices responding to GlobalProtect portal or gateway HTTP endpoints. The GlobalProtect login page is publicly accessible on internet-facing Palo Alto firewall interfaces. Shodan indexes tens of thousands of such devices.
Send crafted HTTP request with malicious SESSID cookie
Send an unauthenticated HTTP POST to the GlobalProtect endpoint with a SESSID cookie value containing OS command metacharacters and a payload — such as a curl command fetching a reverse shell from an attacker-controlled server.
Command executes as root on PAN-OS
PAN-OS incorporates the unsanitised cookie value into a shell command. The injected command executes immediately with root privileges on the management plane of the firewall.
Deploy UPSTYLE backdoor for persistence
UTA0218 deployed UPSTYLE — a Python-based backdoor that installs as a systemd service and parses incoming packets for encoded commands. This survives device restarts and is difficult to distinguish from legitimate PAN-OS processes.
Exfiltrate configuration and pivot
With root access to the firewall, attackers extract the running configuration (containing all firewall rules, VPN credentials, and certificate private keys), harvest internal routing tables, and use the device as a pivot point for internal network access.
Who Exploited CVE-2024-3400 and What They Targeted
Volexity attributed the zero-day exploitation to UTA0218, a threat actor assessed with moderate confidence as state-sponsored based on the tradecraft, targets, and operational tempo observed. Targeted organisations included US government agencies, defence contractors, telecommunications providers, and critical infrastructure operators.
UTA0218's operational objectives during the zero-day window included exfiltrating PAN-OS configuration files containing firewall rules and plaintext credentials, deploying UPSTYLE for persistent access, harvesting Kerberos credentials via NTLM data accessible through the compromised device, and installing OpenSSH backdoors on internal systems reachable from the firewall. In several confirmed cases, UTA0218 pivoted from the compromised firewall to internal domain controllers within hours of initial compromise.
“UTA0218 was focused on exfiltrating data from the device itself as well as leveraging the device as an entry point to further target the victims' internal networks.”
— Volexity, Operation MidnightEclipse (April 2024)
Patching and Fully Remediating CVE-2024-3400
Patching the device closes the exploitation path but does not evict an already-present UPSTYLE backdoor or undo credentials and configurations already extracted. Remediation has three mandatory components.
Upgrade to patched PAN-OS versions immediately
PAN-OS 10.2.9-h1 or later, 11.0.4-h1 or later, 11.1.2-h3 or later. Verify via the CLI with: show system info | match sw-version. If the device ran vulnerable firmware in an internet-exposed state, treat it as potentially compromised regardless of whether you observed active exploitation.
Apply Threat Prevention signature as a bridge measure
Devices with an active Threat Prevention subscription can enable Threat ID 95187 (available in content version 8833-8682 or later) to block the known SESSID exploit pattern. Enable via Security Profiles > Vulnerability Protection. This is a mitigation only — not a substitute for patching.
Run Palo Alto's IOC check and investigate for UPSTYLE
Run Palo Alto's published detection commands to check for UPSTYLE indicators. Look for unexpected files in /opt/pancfg/mgmt/licenses/ and /usr/lib/python3.6/lib-dynload/. Check for Python processes with unusual parent-child relationships to the PAN-OS web server process (configd).
Rotate all credentials accessible from the device
The running configuration contains all credentials referenced by firewall policy — LDAP/AD bind credentials, RADIUS secrets, IPsec pre-shared keys, SSL private keys, and local admin passwords. Rotate all of them. Revoke and reissue SSL certificates. This is mandatory even if no compromise is confirmed.
Disable GlobalProtect if not in use
If GlobalProtect is enabled but not actively used, disable the gateway and portal. CVE-2024-3400 only affects devices with GlobalProtect gateway or portal configured. Removal of the attack surface is the most complete mitigation for devices that cannot immediately patch.
Indicators of Compromise for CVE-2024-3400 / UPSTYLE
Volexity and Unit 42 published IOC sets for UPSTYLE and UTA0218 infrastructure. Key detection points follow.
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| UPSTYLE backdoor — /usr/lib/python3.6/lib-dynload/system.pth | PAN-OS filesystem — Python path file | Check for unexpected .pth files importing external modules |
| UPSTYLE service entry in /etc/systemd/system/ | PAN-OS filesystem — systemd unit | Unexpected Python-based systemd service not matching PAN-OS default units |
| 136.144.17.x, 173.239.218.x (documented UTA0218 C2 ranges) | Network — outbound firewall management plane connections | Anomalous outbound HTTPS from management plane to these ranges |
| Unusual child processes of configd or the web server process | PAN-OS process table | Python3 child processes spawned by configd outside normal operation |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
The bottom line
CVE-2024-3400 is the defining perimeter vulnerability of 2024. A CVSS 10.0 unauthenticated RCE in a firewall — the device that is supposed to be the first line of defence — is a category-level failure. The exploitation timeline is the most important lesson: UTA0218 had operational access to compromised networks for up to 17 days before any patch existed, during which they extracted configurations, pivoted to internal systems, and installed persistent backdoors.
Palo Alto is one of the most widely deployed enterprise firewall platforms in the world. If your organisation runs PAN-OS with GlobalProtect enabled and has not verified upgrade to the patched version, patching is the immediate priority. If you were running a vulnerable version during the pre-patch window, treat the device as compromised until you have completed an IOC investigation, rotated all referenced credentials, and confirmed the absence of UPSTYLE or similar backdoors. Patching alone is insufficient if the exploitation window was already used.
Frequently asked questions
What is CVE-2024-3400?
CVE-2024-3400 is a CVSS 10.0 OS command injection vulnerability in Palo Alto Networks PAN-OS. An unauthenticated attacker sends a crafted HTTP request containing a malicious SESSID cookie to the GlobalProtect gateway or portal, causing PAN-OS to execute arbitrary OS commands as root. No authentication, no user interaction, and no prior access are required.
Which PAN-OS versions are affected by CVE-2024-3400?
Affected versions: PAN-OS 10.2 (< 10.2.9-h1), PAN-OS 11.0 (< 11.0.4-h1), PAN-OS 11.1 (< 11.1.2-h3). The device must have GlobalProtect gateway or GlobalProtect portal enabled. PAN-OS 10.1 and earlier are not affected. Prisma Access is not affected.
Was CVE-2024-3400 exploited as a zero-day?
Yes. Volexity first identified exploitation on April 10, 2024. Retrospective analysis confirmed exploitation began as early as March 26, 2024 — more than two weeks before Palo Alto released the patch. The threat actor (UTA0218) deployed a custom Python backdoor called UPSTYLE across compromised devices during this window.
How do I fix CVE-2024-3400?
Upgrade to PAN-OS 10.2.9-h1, 11.0.4-h1, or 11.1.2-h3 or later. If GlobalProtect is not in use, disable the feature entirely. As a temporary mitigation before patching, Palo Alto published a Threat Prevention signature (Threat ID 95187) that can be enabled on devices with an active Threat Prevention license. This blocks the known exploit pattern but is not a substitute for patching.
What is the UPSTYLE backdoor?
UPSTYLE is a Python-based backdoor deployed by UTA0218 on CVE-2024-3400-compromised PAN-OS devices. It runs as a systemd service, parses incoming network packets for encoded commands, and executes them while writing output to a file that is then served via the web interface. It is designed to blend with legitimate PAN-OS traffic and survive device restarts.
How do I detect if my device was compromised via CVE-2024-3400?
Run Palo Alto's PAN Assurance Assessment to check for known IOCs. Look for unexpected Python processes launched as children of the PAN-OS web server process, files created or modified in /opt/pancfg/mgmt/licenses/ or /usr/lib/python3.6/lib-dynload/, and anomalous outbound connections from the management plane. Palo Alto published a detailed IOC list in their Unit 42 Operation MidnightEclipse threat brief.
Sources & references
- NVD
- Palo Alto Networks Security Advisory PAN-SA-2024-0006
- Volexity — Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)
- Unit 42 Threat Brief: Operation MidnightEclipse
- CISA Advisory AA24-109A
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.