CVE-2024-3400: Critical Vulnerability in GlobalProtect Feature of PAN-OS being Actively Exploited

Share :

On April 12, 2024, Palo Alto Networks published a security advisory detailing an actively exploited maximum severity vulnerability (CVE-2024-3400, CVSS: 10.0) affecting the GlobalProtect feature of PAN-OS. This vulnerability affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls when configurations for both GlobalProtect gateway and device telemetry are enabled. An unauthenticated remote threat actor can exploit this vulnerability to execute arbitrary code with root privileges on the firewall. 

CVE-2024-3400 does not impact Cloud NGFW, Panorama appliances, or Prisma Access, nor other PAN-OS versions. Palo Alto Networks is currently in the process of developing patches for the affected versions of PAN-OS which are expected to release by April 14, 2024. In the meantime, they have provided several recommended actions and workarounds to mitigate potential risks. 

This vulnerability was identified as a zero-day by Volexity, which during its investigation, discovered the threat actor, UTA0218, installing a custom Python backdoor named UPSTYLE on firewall devices. Following the initial breach, the threat actor downloaded additional tools from remote servers controlled by the compromised devices to gain deeper access into victims’ internal networks. Subsequent lateral movements within these networks allowed the extraction of sensitive credentials and files. 

Notably, this is not the first time threat actors have targeted GlobalProtect; a similar vulnerability (CVE-2019-1579) was exploited in 2019. Given its widespread use for remote access to corporate networks globally, GlobalProtect remains an enticing target for threat actors. 

Recommendation for CVE-2024-3400

Follow Palo Alto Networks Guidance Until Release of Fixed PAN-OS Versions

Arctic Wolf strongly recommends upgrading the affected versions once available by April 14, 2024. Palo Alto Networks announced that the vulnerability will be mitigated in the upcoming hotfix releases of PAN-OS. 

Product  Affected Version  Fixed Version 
PAN-OS 11.1  Versions prior to 11.1.2-h3  Under development and expected to be released by April 14, 2024. 
PAN-OS 11.0  Versions prior to 11.0.4-h1 
PAN-OS 10.2  Versions prior to 10.2.9-h1 


Until the patch is available, Palo Alto Networks advises customers with a Threat Prevention subscription to safeguard against vulnerability-related attacks by activating Threat ID 95187. This measure was introduced in Applications and Threats content version 8833-8682. Furthermore, it’s essential to confirm that vulnerability protection has been implemented on your GlobalProtect interface to prevent any attempts to exploit the vulnerability on the device. 

Workaround (Optional) 

If unable to perform the recommended approach to mitigate the vulnerability, Palo Alto Networks recommends temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, re-enable the device telemetry. 


  1. Palo Alto Networks Security Advisory: CVE-2024-3400 
  2. Volexity CVE-2024-3400 Exploitation Report 
  3. Applying Vulnerability Protection on GlobalProtect Interfaces 
  4. Disabling Device Telemetry 
  5. Palo Alto Networks Security Advisory: CVE-2019-1579 
Picture of Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security, holds a degree in Cybersecurity Engineering, and is a CISSP.
Share :
Table of Contents
Subscribe to our Monthly Newsletter