← back
CVE-2024-3400

PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect

CVSS 10 CRITICALEPSS 100.0%● KEVCWE-20CWE-77
In short

A flaw in Palo Alto Networks' GlobalProtect feature allows unauthenticated attackers to create files on the firewall, which can then be used to inject commands and take complete control of the device with root-level access.

Technical detail

An unauthenticated remote attacker can exploit improper input validation (CWE-20) and command injection (CWE-77) in GlobalProtect to create arbitrary files on the firewall, leading to OS command injection with root privileges. Exploitation requires specific PAN-OS versions and feature configurations; Cloud NGFW, Panorama, and Prisma Access are not affected.

Summary generated and translated by AI from the official description.
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
Palo Alto Networks · Cloud NGFWPalo Alto Networks · PAN-OSPalo Alto Networks · Prisma Access
public PoCs found43
githubgithub.com/h4x0r-dz/CVE-2024-3400161githubgithub.com/W01fh4cker/CVE-2024-3400-RCE-Scan90githubgithub.com/0x0d3ad/CVE-2024-340070githubgithub.com/ihebski/CVE-2024-340033githubgithub.com/Chocapikk/CVE-2024-340015githubgithub.com/momika233/CVE-2024-340013githubgithub.com/Yuvvi01/CVE-2024-340011githubgithub.com/ak1t4/CVE-2024-34009githubgithub.com/AdaniKamal/CVE-2024-34007githubgithub.com/schooldropout1337/CVE-2024-34006githubgithub.com/0xr2r/CVE-2024-3400-Palo-Alto-OS-Command-Injection6githubgithub.com/zam89/CVE-2024-3400-pot6githubgithub.com/retkoussa/CVE-2024-34005githubgithub.com/HackingLZ/panrapidcheck2githubgithub.com/CerTusHack/CVE-2024-3400-PoC2githubgithub.com/ZephrFish/CVE-2024-3400-Canary2githubgithub.com/swaybs/CVE-2024-34002githubgithub.com/marconesler/CVE-2024-34002githubgithub.com/CONDITIONBLACK/CVE-2024-3400-POC1githubgithub.com/Zedocun/PAN-OS-CVE-2024-3400-Command-Injection-Investigation1githubgithub.com/wa6n3r/CVE-2024-34001githubgithub.com/hashdr1ft/SOC274-Palo-Alto-Networks-PAN-OS-Command-Injection-Vulnerability-Exploitation-CVE-2024-34001githubgithub.com/sxyrxyy/CVE-2024-3400-Check0githubgithub.com/Ravaan21/CVE-2024-34000githubgithub.com/tfrederick74656/cve-2024-3400-poc0githubgithub.com/pwnj0hn/CVE-2024-34000githubgithub.com/MurrayR0123/CVE-2024-3400-Compromise-Checker0githubgithub.com/Kr0ff/cve-2024-34000githubgithub.com/MrR0b0t19/CVE-2024-34000githubgithub.com/terminalJunki3/CVE-2024-3400-Checker0githubgithub.com/LoanVitor/CVE-2024-3400-0githubgithub.com/andrelia-hacks/CVE-2024-34000githubgithub.com/ivan-n0v/cve-2024-34000githubgithub.com/workshop748/CVE-2024-34000githubgithub.com/CyprianAtsyor/letsdefend-cve2024-3400-case-study0githubgithub.com/CyberBibs/SOC274---Palo-Alto-Networks-PAN-OS-Command-Injection-Vulnerability-Exploitation-CVE-2024-3400-0githubgithub.com/Yafiah-Darwesh/cs50-cyber-paloalto-oauth0githubgithub.com/index2014/CVE-2024-3400-Checker0githubgithub.com/FoxyProxys/CVE-2024-34000githubgithub.com/hahasagined/CVE-2024-34000githubgithub.com/codeblueprint/CVE-2024-34000githubgithub.com/P4rC3L/Global-Protect_VPN_Vuln0exploitdbwww.exploit-db.com/exploits/51996unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://security.paloaltonetworks.com/CVE-2024-3400https://unit42.paloaltonetworks.com/cve-2024-3400/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-3400https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/