CVE-2024-3400
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Description
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
Analysis
Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection via arbitrary file creation (CVSS 10.0) allowing unauthenticated root-level RCE, triggering an emergency patching directive from CISA in April 2024.
Technical Context
The CWE-20 vulnerability allows unauthenticated attackers to create arbitrary files on the firewall through the GlobalProtect portal/gateway. The file creation capability is leveraged for command injection, achieving root-level code execution on the PAN-OS device.
Affected Products
['Palo Alto Networks PAN-OS with GlobalProtect enabled (specific versions)']
Remediation
Apply PAN-OS hotfixes immediately. Disable GlobalProtect portal/gateway if not critical. Check for IoCs including suspicious cron jobs and modified configurations. Rotate all credentials accessible from the firewall.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today